"#$% &'#()*+,

A BR0ABBANB INTERNET TECBNICAL ABvIS0RY uR00P

TECBNICAL W0RKINu uR00P REP0RT







- .+*/#$0 -,$1101+% 213#$%










4556178
August 2u1S

9#3:$*,;% < =1,>' ?#%*(1
Copyiight Bioaubanu Inteinet Technical Auvisoiy uioup, Inc. 2u1S. All iights
ieseiveu.
This uocument may be iepiouuceu anu uistiibuteu to otheis so long as such
iepiouuction oi uistiibution complies with Bioaubanu Inteinet Technical Auvisoiy
uioup, Inc.'s Intellectual Piopeity Rights Policy, available at www.bitag.oig, anu any
such iepiouuction contains the above copyiight notice anu the othei notices
containeu in this section. This uocument may not be mouifieu in any way without
the expiess wiitten consent of the Bioaubanu Inteinet Technical Auvisoiy uioup,
Inc.
This uocument anu the infoimation containeu heiein is pioviueu on an "AS IS" basis
anu BITAu ANB TBE C0NTRIB0T0RS T0 TBIS REP0RT NAKE N0 (ANB BEREBY
EXPRESSLY BISCLAIN ANY) WARRANTIES (EXPRESS, INPLIEB 0R 0TBERWISE),
INCL0BINu INPLIEB WARRANTIES 0F NERCBANTABILITY, N0N-INFRINuENENT,
FITNESS F0R A PARTIC0LAR P0RP0SE, 0R TITLE, RELATEB T0 TBIS REP0RT,
ANB TBE ENTIRE RISK 0F RELYINu 0P0N TBIS REP0RT 0R INPLENENTINu 0R
0SINu TBE TECBN0L0uY BESCRIBEB IN TBIS REP0RT IS ASS0NEB BY TBE 0SER
0R INPLENENTER.
The infoimation containeu in this Repoit was maue available fiom contiibutions
fiom vaiious souices, incluuing membeis of Bioaubanu Inteinet Technical Auvisoiy
uioup, Inc.'s Technical Woiking uioup anu otheis. Bioaubanu Inteinet Technical
Auvisoiy uioup, Inc. takes no position iegaiuing the valiuity oi scope of any
intellectual piopeity iights oi othei iights that might be claimeu to peitain to the
implementation oi use of the technology uesciibeu in this Repoit oi the extent to
which any license unuei such iights might oi might not be available; noi uoes it
iepiesent that it has maue any inuepenuent effoit to iuentify any such iights.

i
@A1(6%*B1 C600>$:
The teim "poit blocking" iefeis to the piactice of an Inteinet Seivice Pioviuei (ISP)
iuentifying Inteinet tiaffic by the combination of poit numbei anu tianspoit piotocol,
anu blocking it entiiely. Poit blocking thus affects the tiaffic associateu with a
paiticulai combination of poit numbei anu tianspoit piotocol on that ISP, iegaiuless
of souice oi uestination IP auuiess. The piactice can potentially pievent the use of
paiticulai applications altogethei by blocking the poits those applications use. Poit
blocks can be ueployeu in a iange of netwoik locations, fiom wheie the ISP connects
with othei netwoiks to uatacenteis anu customei locations.
The Inteinet was built aiounu the piemise of an open anu shaieu enviionment.
Auuitionally, Inteinet stanuaius assume all hosts on the global Inteinet can connect
uiiectly to each othei, on any specifieu poit numbei. The piactical ieality is that blocking of
Inteinet poit numbeis, eithei in the shoit oi long teim, is a technique that has been useu
by both wiieline anu wiieless netwoik pioviueis foi vaiious ieasons foi ovei a uecaue.

0ne of the oiiginal anu enuuiing motivations foi blocking poits is to pievent netwoik
attacks anu abuse associateu with paiticulai application piotocols. Some netwoik anu
secuiity auministiatois view poit blocking as a ciitical tool foi secuiing systems anu
infoimation, anu see it as pait of the ISP's mission to manage the secuiity iisk to its useis
fiom theft anu uestiuction of peisonal infoimation, business iecoius, anu othei ciitical
electionic foims of infoimation. TCP poit 2S, useu foi senuing email, is an example of a
poit that is blockeu by some opeiatois to pievent netwoik abuse - such as spam email.

Poit blocking has also been useu to enfoice ISPs' teims of seivice. Likewise, poit blocking
was once vieweu as a useful tool foi managing capacity anu banuwiuth-intensive
applications such as peei-to-peei file-shaiing applications on enteipiise anu univeisity
netwoiks. Bowevei, incieaseu netwoik capacity anu a vaiiety of uevelopments in the
application space have causeu most iesiuential ISPs to seek othei ways of managing
capacity. Finally, though iaie, poit blocking has at times been useu to hinuei competing
applications, such as voice ovei IP (voIP).

Poit blocking is among a set of tools anu tactics (Netwoik Auuiess Tianslation (NAT) being
the othei majoi example) that can compiomise the oiiginal intent of poits: to pioviue
ieliable local auuiesses so that enu systems can manage multiple communications at once.

Poit blocking can complicate application uesign anu uevelopment anu cieate unceitainty
about whethei applications will function piopeily when they aie ueployeu. Poit blocking
can also cause applications to not function piopeily oi "bieak" by pieventing applications
fiom using the poits they weie uesigneu to use. 0ne of the outcomes of poit blocking is an
inciease in the use of "poit oveiloauing." Poit oveiloauing is a tactic wheieby application
uevelopeis will uesign applications to use a common poit, in oiuei to minimize the chance
of a poit blocking piactice impacting the usability of that application.

ii
Impoitantly, it may not be obvious to Inteinet useis why an application affecteu by poit
blocking is not woiking piopeily, because the application may simply be unable to connect
oi fail silently. If eiioi messages aie pioviueu, they may not contain specific uetails as to
the cause of the pioblem. 0seis may seek assistance fiom the ISP's customei seivice, online
uocumentation, oi othei knowleugeable souices if they cannot uiagnose the pioblem
themselves. The fact that the pioblem coulu alteinatively be causeu by home netwoiking
equipment oi a softwaie-baseu poit block complicates the piocess of uiagnosis.

0seis' ability to iesponu to poit blocking uepenus on theii technical sophistication anu the
extent to which woikaiounus aie available. 0veicoming poit blocking may iequiie the usei
to install a softwaie upuate, change a configuiation setting, iequest an opt-out fiom the ISP,
oi to upgiaue theii level of seivice (foi example fiom iesiuential to business). If these
options aie not available, oi if useis oi customeis lack the knowleuge oi willingness to
puisue them, useis may be pieventeu fiom using the blockeu application altogethei, oi
they may have to switch to a uiffeient application oi a uiffeient netwoik (fiom wiieless to
wiieline, foi example).

Because poit blocking can affect how paiticulai Inteinet applications function, its use has
the potential to be anti-competitive, uisciiminatoiy, otheiwise motivateu by non-technical
factois, oi constiueu as such. As a iesult, the Bioaubanu Inteinet Technical Auvisoiy uioup
(BITAu) has a numbei of suggesteu piactices when it comes to poit blocking:

4C"5 5;#6'7 >B#*7 3#$% D'#()*+, 6+'155 %;1: ;>B1 +# $1>5#+>D'1 >'%1$+>%*B15
>B>*'>D'1 /#$ 3$1B1+%*+, 6+E>+%17 %$>//*( >+7 3$#%1(%*+, 651$5F Fuithei, if poit
blocking is ueemeu necessaiy, it shoulu only be useu foi the puiposes of piotecting
the implementing ISP's netwoik anu useis. Poit blocking shoulu not be useu foi
ongoing capacity management, to enfoice non-secuiity teims of seivice, oi to
uisauvantage competing applications.
4C"5 %;>% (>+ $1>5#+>D': 3$#B*71 %# %;1*$ 651$5 #3%G#6% 3$#B*5*#+5 #$
1A(13%*#+5 %# %;1*$ 3#$% D'#()*+, 3#'*(*15 5;#6'7 7# 5#F Whethei opt-out
piovisions can be suppoiteu may uepenu on the paiticulais of the access netwoik
technology, the location poit blocking is implementeu in the netwoik,
auministiative complexity, cost, anu othei factois.
4C"5 5;#6'7 36D'*(': 7*5('#51 %;1*$ 3#$% D'#()*+, 3#'*(*15F The infoimation
shoulu be ieauily available to both customeis anu non-customeis alike, anu shoulu
be as infoimative anu concise as possible. Foi example, poit blocking policies coulu
be pioviueu on the ISP's public facing website, on a page ueuicateu to summaiizing
oi uesciibing the iespective ISP's netwoik management piactices.
Foi peisistent poit blocks the infoimation shoulu incluue: (1) poit numbeis, (2)
tianspoit piotocol (e.g., TCP oi 0BP), (S) the application(s) noimally associateu
with the poit(s), (4) the uiiection of the block - whethei inbounu oi outbounu, (S) a
biief uesciiption of the ieason(s) foi the block, anu (6) if opt-out piovisions aie
available anu how to iequest such.
iii
4C"5 5;#6'7 0>)1 (#006+*(>%*#+5 (;>++1'5 >B>*'>D'1 /#$ /117D>() >D#6% 3#$%
D'#()*+, 3#'*(*15F Applications pioviueis anu consumeis shoulu have
communications channels oi othei cleai methous to uiscuss impacts causeu by poit
blocking anu to consiuei possible mitigations.
4C"5 5;#6'7 $1B*5*% %;1*$ 3#$% D'#()*+, 3#'*(*15 #+ > $1,6'>$ D>5*5 >+7 $1>55155
E;1%;1$ %;1 %;$1>%5 %;>% $1H6*$17 %;1 3#$% D'#()*+, $6'15 (#+%*+61 %# D1
$1'1B>+%F Some secuiity thieats aie peimanent anu some aie tiansitoiy oi shoit-
liveu. Items such as spam pievention by blocking TCP poit 2S fiom the customei aie
expecteu to last quite some time, while otheis such as blocks to pievent ceitain
types of malicious softwaie may be tempoiaiy.
"#$% D'#()*+, I#$ /*$1E>''J $6'15 #/ (#+5601$5K 71B*(15 5;#6'7 D1 651$G
(#+/*,6$>D'1F It is iecommenueu that the uocumentation pioviueu with each unit
infoim the consumei that poit blocking oi fiiewall iules have been implementeu,
which poits aie blockeu by uefault, anu how consumeis can mouify those iules.



iv

L>D'1 #/ 9#+%1+%5
MF -D#6% %;1 &4L-N FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF M
OF 45561 PB1$B*1E FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF O
OFMF &4L-N 4+%1$15% *+ %;*5 45561 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF O
OFOF Q;>% >$1 "#$%5R FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF S
OFSF Q;>% *5 "#$% &'#()*+,R FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF T
OFUF ?1%E#$) -77$155 L$>+5'>%*#+ I?-LJ B5F "#$% &'#()*+, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF V
OFTF 4"BV >+7 "#$% &'#()*+, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF V
SF W#%*B>%*#+5 /#$ >+7 403'101+%>%*#+ #/ "#$% &'#()*+, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF V
SFMF W*%*,>%*+, X+#E+ Y6'+1$>D*'*%*15 #$ 455615 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Z
S.1.1. Simple Nail Tiansfei Piotocol (SNTP) - TCP2S ............................................................................. 7
S.1.2. Niciosoft RPC - TCP1SS anu 0BP1SS ........................................................................................... 1u
S.1.S. NetBI0S anu SNB - TCP0BP1S9 anu TCP44S ........................................................................... 1u
S.1.4. Simple Netwoik Nanagement Piotocol (SNNP) - TCP0BP 161162 ................................ 11
S.1.S. Netwoik Nanagement Poits ................................................................................................................... 11
S.1.6. Teims of Seivice Enfoicement ............................................................................................................... 11
SFOF -'%1$+>%*B15 %# "#$% &'#()*+, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MO
SFSF "1$5*5%1+% Y1$565 L103#$>$: &'#()*+, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MO
SFUF 9#+5*71$>%*#+5 /#$ [*//1$1+% L:315 #/ ?1%E#$)5 >+7 ?1%E#$) -$(;*%1(%6$15 FFFFFFFFFFFF MS
SFTF Q;1$1 7# "#$% &'#()5 P((6$R FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MS
S.S.1. Netwoik Inteiconnection Poit Blocks ................................................................................................ 1S
S.S.2. Customei Facing Netwoik Connection Poit Blocks ...................................................................... 14
S.S.S. Customei Piemises Equipment Poit Blocks .................................................................................... 1S
SFVF P3%GP6% P3%*#+5 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF MZ
UF 403'*(>%*#+5 >+7 9#+(1$+5 21'>%*+, %# "#$% &'#()*+, FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF M\
UFMF 9#+(1$+5 #/ 4+%1$+1% @(#5:5%10 C%>)1;#'71$5 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF M\
4.1.1. Inteinet Seivice Pioviueis ....................................................................................................................... 18
4.1.2. Applications anu Application Pioviueis ............................................................................................ 19
4.1.S. Consumei oi Enu-0sei Conceins .......................................................................................................... 2u
TF L1(;+*(>' Q#$)*+, N$#63 ILQNJ C6,,15%17 "$>(%*(15 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF OM
TFMF 4C"5 C;#6'7 -B#*7 "#$% &'#()*+, .+'155 ?# 21>5#+>D'1 -'%1$+>%*B15 -$1 -B>*'>D'1 OO
TFOF 4C"5 C;#6'7 "$#B*71 P3%GP6% "$#B*5*#+5 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF OO
TFSF 4C"5 C;#6'7 [*5('#51 "#$% &'#()*+, "#'*(*15 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF OO
TFUF 4C"5 C;#6'7 W>)1 9#006+*(>%*#+5 9;>++1'5 -B>*'>D'1 /#$ ]117D>() FFFFFFFFFFFFFFFFFFFFFFFFFF OS
TFTF 4C"5 C;#6'7 21B*5*% L;1*$ "#$% &'#()*+, "#'*(*15 #+ > 21,6'>$ &>5*5 FFFFFFFFFFFFFFFFFFFFFFFFFFFFF OS
TFVF "#$% &'#()*+, 26'15 /#$ 9#+5601$ @H6*301+% C;#6'7 &1 .51$ 9#+/*,6$>D'1 FFFFFFFFFFFFF OU
VF 21/1$1+(15 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF OT
ZF N'#55>$: #/ L1$05 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF OZ
\F [#(601+% 9#+%$*D6%#$5 >+7 21B*1E1$5 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF O\
1
MF -D#6% %;1 &4L-N

The Bioaubanu Inteinet Technical Auvisoiy uioup (BITAu) is a non-piofit, multi-
stakeholuei oiganization focuseu on biinging togethei engineeis anu technologists in a
Technical Woiking uioup (TWu) to uevelop consensus on bioaubanu netwoik
management piactices anu othei ielateu technical issues that can affect useis' Inteinet
expeiience, incluuing the impact to anu fiom applications, content anu uevices that utilize
the Inteinet.

The BITAu's mission incluues: (a) euucating policymakeis on such technical issues; (b)
auuiessing specific technical matteis in an effoit to minimize ielateu policy uisputes; anu
(c) seiving as a sounuing boaiu foi new iueas anu netwoik management piactices. Specific
TWu functions also may incluue: (i) iuentifying "best piactices" by bioaubanu pioviueis
anu othei entities; (ii) inteipieting anu applying "safe haiboi" piactices; (iii) otheiwise
pioviuing technical guiuance to inuustiy anu to the public; anuoi (iv) issuing auvisoiy
opinions on the technical issues geimane to the TWu's mission that may unueilie uisputes
conceining bioaubanu netwoik management piactices.

BITAu TWu iepoits focus piimaiily on technical issues. While the iepoits may touch on a
bioau iange of questions associateu with a paiticulai netwoik management piactice, the
iepoits aie not intenueu to auuiess oi analyze in a compiehensive fashion the economic,
legal, iegulatoiy oi public policy issues that the piactice may iaise.

The BITAu Technical Woiking uioup anu its inuiviuual Committees make uecisions
thiough a consensus piocess, with the coiiesponuing levels of agieement iepiesenteu on
the covei of each iepoit. Each TWu Repiesentative woiks towaius achieving consensus
aiounu iecommenuations theii iespective oiganizations suppoit, although even at the
highest level of agieement, BITAu consensus uoes not iequiie that all TWu membei
oiganizations agiee with each anu eveiy sentence of a uocument. The Chaii of each TWu
Committee ueteimines if consensus has been ieacheu. In the case theie is uisagieement
within a Committee as to whethei theie is consensus, BITAu has a voting piocess with
which vaiious levels of agieement may be moie foimally achieveu anu inuicateu. Foi moie
infoimation please see the BITAu Technical Woiking uioup Nanual, available on the BITAu
website at www.bitag.oig.

BITAu welcomes public comment. Please feel fiee to submit comments in wiiting via email
at commentsbitag.oig.

2
OF 45561 PB1$B*1E

The teim "poit blocking" iefeis to the piactice of an Inteinet Seivice Pioviuei (ISP)
iuentifying Inteinet tiaffic by the combination of poit numbei anu tianspoit piotocol, anu
blocking it entiiely. Poit blocking thus affects the tiaffic associateu with a paiticulai
combination of poit numbei anu tianspoit piotocol on an ISP, iegaiuless of souice oi
uestination IP auuiess. The piactice can potentially pievent the use of paiticulai
applications altogethei by blocking the poits those applications use. (Inteinet tiaffic may,
of couise, be tieateu in othei waysfoi example by ieuiiecting it, iate limiting it, oi
changing its QoS classificationbut such tieatments aie outsiue the scope of this iepoit.)

Poit blocking has been in use at vaiious times by both wiieline anu wiieless netwoik
opeiatois foi ovei a uecaue. 0ne of the oiiginal anu enuuiing motivations foi blocking
poits is to pievent netwoik attacks anu abuse associateu with paiticulai application
piotocols. Poit blocking has also been useu to enfoice ISPs' teims of seivice - blocking
inbounu
1
poit 8u foi useis
2
whose iesiuential contiacts piohibit them fiom iunning web
seiveis, foi example. This piactice has become less common but is still in use by some
opeiatois. Likewise, poit blocking was once vieweu as a useful tool foi managing capacity
anu banuwiuth-intensive applications such as peei-to-peei file-shaiing applications on
enteipiise anu univeisity netwoiks. Bowevei, incieaseu netwoik capacity anu a vaiiety of
uevelopments in the application space have causeu most iesiuential ISPs to seek othei
ways of managing capacity. Finally, though iaie, poit blocking has at times been useu by
netwoik opeiatois to hinuei competing applications, such as voIP.

OFMF &4L-N 4+%1$15% *+ %;*5 45561

Inteinet stanuaius assume all hosts on the global Inteinet can connect uiiectly to each
othei, on any specifieu poit numbei. Bowevei, the piactical ieality is that blocking of
Inteinet poit numbeis is a technique useu by netwoik pioviueis foi vaiious ieasons, eithei
in the shoit teim while a peimanent solution is founu oi long teim when theie is no bettei
solution. Some of these ieasons ielate to netwoik oi usei secuiity while otheis ielate to
business piactices. Poit blocking has the potential to cause unintenueu anu unanticipateu
pioblems foi the opeiation of applications. Its use also has the potential to be anti-
competitive, uisciiminatoiy, otheiwise motivateu by non-technical factois, oi constiueu as

1
In this iepoit, whethei a poit block is consiueieu "inbounu" oi "outbounu" will be in ielation to
the usei. Please note the teims "inbounu" oi "outbounu" aie also useu in this iepoit to inuicate the
uiiection of Inteinet uata tiaffic, among othei things, anu when useu in such a mannei may be in
ielation to the ISP, usei, oi application uepenuing on the context.
2
Thioughout this iepoit, the teim "usei" may be useu somewhat inteichangeably with the teims
"consumei", oi "customei". Please note that "customei" also iefeis specifically to the inuiviuual oi
entity that is in a contiactual customei agieement with an Inteinet seivice pioviuei (ISP), while
"usei" can iefei to both customeis anu non-customeis alike.
S
such.

Concein has been iaiseu that poit blocking is an aiea of confusion foi useis, anu a cause of
fiiction foi application uevelopeis, as theie uoes not seem to be unifoimity as to:

Why poits aie blockeu,
Which poits aie blockeu,
Wheie poits aie blockeu,
0pt-out options,
Bisclosuie of poit blocking policies,
Bow such policies may affect application pioviueis anu consumeis alike

BITAu aims to auuiess some of these conceins by uocumenting how poit blocking woiks,
the iationales behinu it, its implications foi uiffeient segments of the Inteinet ecosystem,
anu suggesteu best piactices foi entities that implement poit blocking.

ISPs may take a uiffeient appioach to poit blocking uepenuing on whom they seive.
Enteipiise-focuseu ISPs, foi instance, usually uo not implement poit blocking as enteipiise
customeis geneially have gieatei secuiity expeitise anu iaiely cieate auuitional iisk foi
the ISP's netwoik. Consumei-focuseu netwoiks geneially implement poit blocking moie
often, as theii customeis aie typically less technically sophisticateu anu unawaie of
secuiity thieats anu vulneiabilities. As a iesult, this iepoit will focus on consumei
netwoiks.

OFOF Q;>% >$1 "#$%5R

In the aichitectuie of the Inteinet, communication between two systems is iuentifieu by
five fielus: (1) the souice IP auuiess, (2) the uestination IP auuiess, (S) the tianspoit
piotocol in use, (4) the souice poit, anu (S) the uestination poit useu by the tianspoit
piotocol |RFC79Sj. The paii of IP auuiesses iepiesenting two systems iuentifies all of the
communication sessions between them, wheieas the poit numbei paii iuentifies an
inuiviuual communication session.

Tianspoit piotocols, most often Tiansmission Contiol Piotocol (TCP) oi 0sei Batagiam
Piotocol (0BP), incluue in theii heauei fielus two numbeis in the iange fiom u to 6SSSS:
the "uestination poit" anu the "souice poit" |RFC6SSSj. When an application on one
uevice wants to communicate with an application on anothei uevice, it uiiects the local
opeiating system to open a communication channel (usually calleu a "connection")
between itself anu the iemote enu point, anu specifies the IP auuiess (eithei IPv4 oi IPv6),
tianspoit piotocol, anu poit numbei that the seivice will use. Applications that can use
eithei a 0BP oi TCP tianspoit fiequently use the same poit numbei foi each, but this is
neithei iequiieu noi assumeu. Foi fuithei iefeience, thioughout the iemainuei of this
iepoit TCP anu 0BP poits will be uenoteu with the name of the tianspoit piotocol followeu
by a slash anu the poit numbei: TCPS2u, foi example.
4

By convention, most seivei applications "listen" on a ueuicateu poit numbei. Foi example,
in a web communication, the biowsei on a client system opens a TCP connection to a web
seivei using poit 8u as the uestination poit anu a ianuom poit numbei as its souice poit.
The web seivei, listening foi incoming communication on poit 8u will inveit the poit
numbeis in its iesponse to the client's iequest. Thus, the web seivei iesponse to the client
system uses poit 8u as the souice poit anu the souice poit leaineu fiom the client's initial
iequest as the uestination poit. In this way, computeis can efficiently manage multiple
sessions between peeis, oi between clients anu seiveis. While many applications use
stanuaiuizeu uestination poits, otheis choose poits at ianuom when they aie establishing
communications.




]*,6$1 M8 9#006+*(>%*#+5 D1%E11+ 651$5 >+7 >33'*(>%*#+ 51$B1$5F L;1 651$5K (#036%1$5 651 $>+7#0': >55*,+17
3#$%5 >+7 (#++1(% %# E1''G)+#E+ 3#$%5 #+ %;1 51$B1$58 3#$% OT /#$ CWL" 10>*' >+7 3#$% \^ /#$ _LL" E1D %$>//*(F

Poit numbeis in the iange of u thiough 1u2S aie iefeiieu to as Well Known oi System
Poits |BCP16Sj. 0vei time, theie has been a neeu to extenu the numbei of assignable poits.
0sei Poits in the iange of 1u24 thiough 491S1 aie now available foi iegistiation of
seivices anu piotocols thiough the Inteinet Assigneu Numbeis Authoiity (IANA) |BCP16Sj.
The iemaining poits in the iange of 491S2 thiough 6SSSS aie iefeiieu to as Bynamic
Poits. These poits have been set asiue foi local oi uynamic use anu cannot be assigneu.
Client opeiating systems may use a poit fiom the Bynamic Poit iange as the souice poit
when oiiginating a iequest, such as to a web seivei. The list of assigneu poit numbeis is
available fiom the IANA by accessing the Poit Numbei Registiy |Poit Numbei Registiyj.
Ports
Ports
0
...
14881
...
37277
...
65535
0
...
80
...
65535
Web page
request
Web page
response
User 1
Web Server
Ports
0
...
25
...
65535
Email Server
Email to
be sent
Server
conrmation
Ports
0
...
19008
...
44555
...
65535
Web page
request
Web page
response
User 2
Email to
be sent
Server
conrmation
S
The pioceuuie foi obtaining a poit numbei oi otheiwise upuating the iegistiy may be
founu in BCP 16S |BCP16Sj.

It is also possible, anu common, to use unassigneu poit numbeis. This happens when an
application is in uevelopment oi is useu only in a confineu uomain, oi is "poit-agile" in the
sense that it is uesigneu to intelligently use any available poit numbei. Poit-agile
applications may be benign; Skype anu othei peei-to-peei applications aie often poit-agile
|Skype FAQj. Tiaffic cieateu by Bistiibuteu Benial of Seivice (BBoS) attacks anu malicious
softwaie (known as malwaie) is also often poit-agile oi uses a wiue iange of poits |SANSj.

OFSF Q;>% *5 "#$% &'#()*+,R

As noteu in Section 2 above, poit blocking is when tiaffic is iuentifieu anu blockeu on the
basis of the combination of tianspoit piotocol anu poit numbei. Poit blocking can be
conuucteu by ISPs, enteipiises, oi on customei equipment in the home. Because some
applications aie uesigneu (oi weie oiiginally uesigneu) to iun only ovei specific poits, a
netwoik that blocks those poits pievents those applications fiom senuing tiaffic unless the
applications aie ieuesigneu oi ieconfiguieu to use uiffeient poits.

As an example, the Simple Nail Tiansfei Piotocol (SNTP) was oiiginally uesigneu to use a
uestination poit of TCP2S |RFC788j. Nalwaie that senus "spam" email fiequently uoes so
uiiectly fiom the infecteu system to the taiget, while legitimate email often uses ISP oi
enteipiise email seiveis as inteimeuiaiies. Theiefoie a common methou useu to minimize
spam is foi the access netwoik pioviuei to block tiaffic fiom its useis that has TCP2S as
its uestination poit, unless that tiaffic is uiiecteu to one of the ISP's email seiveis. 0seis
whose email clients aie affecteu by these blocks must ieconfiguie theii clients to use
anothei poit.

Poit blocking is geneially ineffective against poit-agile applications oi tiaffic. Applications
that use ianuomizeu poits oi uiffeient poits pei usei oi pei instance of the application
cannot effectively be stoppeu with poit blocking.

Netwoik auministiatois anu home useis have a vaiiety of techniques at theii uisposal foi
pieventing unwanteu communications to anu fiom the Inteinet. Foi example, tiaffic
coming into an ISP's netwoik might be blockeu on the basis of its souice IP auuiess (a
piactice known as Ingiess Filteiing) to pievent spoofing oi to block email sessions that uo
not tiaveise the ISP's email seiveis as a means to pievent spam |RFC2827j. 0sing a
fiiewall is anothei technique anu pioviues the ability to block tiaffic baseu on uiffeient
ciiteiia such as souice oi uestination IP auuiess, tianspoit piotocol, poit numbeis, some
application-layei ciiteiia, oi a combination of these elements. Fiiewalls come in a vaiiety of
types anu may be installeu on usei uevices (computeis, home iouteis, etc) oi in the
netwoik by enteipiises oi ISPs. Finally, enteipiises oi WiFi hotspots may pievent all
Inteinet tiaffic fiom coming in oi out of theii netwoiks unless the tiaffic flows thiough an
BTTP pioxy on the netwoik. The most common ieason to auopt these techniques is to
6
pievent netwoik attacks anu abuse, although they may be useu foi othei puiposes
(paiental oi employee contiols oi capacity management, foi example).

OFUF ?1%E#$) -77$155 L$>+5'>%*#+ I?-LJ B5F "#$% &'#()*+,

Poit blocking is uistinct fiom Netwoik Auuiess Tianslation (NAT), but both can have
similai effects on applications. NAT was oiiginally uesigneu to help netwoik opeiatois
cope with the scaicity of IPv4 auuiesses by allowing multiple enu uevices to shaie a single
public IP auuiess. NAT has been ueployeu within home netwoiking equipment foi yeais,
anu is now being ueployeu with incieasing fiequency within ISPs' netwoiks (wheie it is
known as Laige-Scale NAT oi LSN) uuiing the tiansition fiom IPv4 to IPv6 |BITAu Laige
Scale NAT Repoitj.

NAT, by its natuie, blocks all unsoliciteu inbounu communication into the netwoik. This is
because, with multiple uevices shaiing the same public IP auuiess, a NAT uevice uoes not
know which usei to senu inbounu tiaffic to unless (1) theie has been iecent outbounu
tiaffic using the same auuiess anu poit, oi (2) the NAT uevice has been pie-configuieu with
a iule on how to map the combination of an exteinal auuiess anu poit to a coiiesponuing
inteinal auuiess anu poit. Thus, when a NAT uevice ieceives tiaffic with any
souiceuestination poit combination foi unknown mappings, then that tiaffic will be
blockeu. Fiom the peispective of an application, this effect can be similai to a poit block
that blocks tiaffic on the inbounu poits the application is uesigneu to use - the application
tiaffic will not ieach the usei. If the use of LSN continues to become moie pievalent,
applications may continue to expeiience these kinus of blockages, without it being obvious
to the application pioviuei (oi the usei) whethei the uifficulties aie causeu by poit
blocking, LSN, oi some othei functionality in the netwoik oi the home.

OFTF 4"BV >+7 "#$% &'#()*+,

0peiationally, netwoik opeiatois have not yet seen wiuespieau secuiity thieats oi abuse
in IPv6 netwoiks, anu at this wiiting theie has yet to be significant consumei oi enteipiise
use of IPv6. If neeueu, poit blocking can be implementeu in IPv6 as in IPv4, in which case
the iecommenuations of this iepoit apply.

SF W#%*B>%*#+5 /#$ >+7 403'101+%>%*#+ #/ "#$% &'#()*+,

Poit blocking is a tool commonly useu by ISPs, but the use of that tool can vaiy uiamatically
fiom ISP to ISP. Nany ISPs use poit blocking to piotect theii customeis fiom secuiity
thieats, but some have useu it to block high banuwiuth oi competing applications. Some
netwoiks block the poits of all of theii customeis, some allow opt-out anu some uo not
7
implement poit blocking at all. 0nueistanuing the moie common applications of poit
blocking, the uiffeiences in customei bases, anu how some ISPs implement poit blocking
will help to illustiate why some ISPs see poit blocking as necessaiy anu why to uate theie
has been little unifoimity when it comes to poit blocking policies anu piactices.
SFMF W*%*,>%*+, X+#E+ Y6'+1$>D*'*%*15 #$ 455615
The poits most commonly blockeu on the Inteinet touay aie the iesult of known
vulneiabilities in applications iunning on well-known poits. ISPs ueploy poit blocking
most often as a uefense to known secuiity vulneiabilities, easily exploiteu applications,
oi as a means to uiscouiage the abuse of legacy piotocols when newei stanuaius
emeige. The use of poit blocking in these instances typically involves a ueteimination
by the ISP that the benefit of piotecting useis oi the netwoik fiom these secuiity iisks
outweighs any negative impacts upon useis. Anothei common iationale foi the use of
poit blocking is to block tiaffic unwanteu by the ISP's useis, e.g., in uenial-of-seivice
attacks wheie a usei can be oveiwhelmeu by maliciously geneiateu anu unwanteu
tiaffic.
Netalyzi is a fiee web-baseu measuiement tool cieateu anu manageu by the
Netwoiking uioup at the Inteinational Computei Science Institute that peifoims
netwoik testing anu analysis |Netalyzij. Seivice ieachability, one of the tests incluueu
in this tool's suite, attempts to asceitain which poits a seivice pioviuei blocks by
attempting to connect on 2S well-known poits. A iepoit publisheu in 2u1u baseu on
1Su,uuu test sessions showeu that foui well-known poits aie blockeu by a significant
peicentage of bioaubanu seivice pioviueis. |Netalyzi2u1uj Those poits aie as follows:
C1$B*(1 "#$%
SNTP TCP2S
RPC TCP1SS
NetBI0S TCP1S9
SNB TCP44S

The iationale foi blocking each of the poits listeu above is uesciibeu in tuin below,
along with the iationale foi othei commonly blockeu poits such as: TCP161 anu
0BP161 foi Simple Netwoik Nanagement Piotocol (SNNP); othei netwoik
management poits; anu finally TCP8u foi Bypeitext Tiansfei Piotocol (BTTP).
SFMFMF C*03'1 W>*' L$>+5/1$ "$#%#(#' ICWL"J ` L9"<OT
0ne of the best-known uses of poit blocking by ISPs is foi TCP2S. The Simple Nail
Tiansfei Piotocol, SNTP, was oiiginally uesigneu to senu electionic mail fiom one
system to anothei using TCP2S in an untiusteu mannei using the Inteinet Piotocol.
SNTP is useu to senu messages fiom a mail client to a mail seivei, as well as between
mail seiveis. Nail clients use a sepaiate piotocol to ietiieve messages fiom mail
8
seiveis. Nost useis touay uo not senu theii email via TCP2S since moie secuie
mechanisms have evolveu.
Bowevei, since the oiiginal uesign of SNTP an incieasing amount of spam email has
been tiansmitteu using TCP2S, often pioviuing false infoimation about the email
auuiess of the email client. In auuition, malwaie is often tiansmitteu using TCP2S.
Computei viiuses uesigneu specifically to senu spam in this mannei, as illustiateu in
Figuie 2, iepiesent a significant thieat to the functionality of the Inteinet anu to ISP
opeiations as well. Seivice pioviueis aie fuithei incentivizeu to eithei block oi at least
monitoi foi nefaiious activity on TCP2S as a means to pievent theii iespective
customei IP auuiess spaces fiom being placeu on email blacklists. Blacklisting ISP
auuiess space pievents customeis in that auuiess iange fiom senuing mail to a laige
peicentage of email uestinations, as many ISPs piohibit the ieceipt of email fiom
blacklisteu souice IP auuiesses.

]*,6$1 O8 C3>0 >($#55 6+D'#()17 L9"<OT
To combat these secuiity issues, Inteinet stanuaius foi SNTP have evolveu. The
stanuaius now suppoit communication using alteinative poits, incluuing TCPS87,
anu suppoit using authentication to ensuie that the email client iuentifies itself
coiiectly anu is an authoiizeu senuei |RFC64u9j. The Inteinet Engineeiing Task Foice
(IETF) fuithei iecommenus that communication fiom email clients to mail seiveis
tiansition fiom TCP2S to authenticateu TCPS87, anu that mail seiveis shoulu
similaily authenticate all email, even if ieceiveu on a uiffeient poit |RFCSu68j.
Bowevei, Inteinet stanuaius continue to iely on TCP2S foi foiwaiuing of email
between mail seiveis |RFC64u9j.
!"#$
&'()'(
*+,-.,
/012(0$$'(
&3"4
,"(5'2
!"#$%&"
(#)$%*"#
+",-)#.
612'(7
8011'82
90:2'(
612'(7
8011'82
90:2'(
.;5'
90:2'(
.;5'
90:2'(
&2'3 <= /01)20* 3)0,#)4
)# 52,1)20* 657 &8"&. %0
&2'3 >= !9:; <"0, ,)
=:%4 !"#$"#<
&3"4
,"(5'2
&3"4
,"(5'2
*+,-.,
8043:2'( ?0(
@'1;#15 &3"4
+:2A0:1; ,/BC>D
&2'3 E= =:%4 !"#$"#<
94:&" !9:; %0 =:%4 1)>
&2'3 F= ?<"#<
#"&"%$" !9:;
/B.
/B.
/B.
9
An inuustiy tiaue gioup has gone fuithei by iecommenuing that ISPs block outbounu
TCP2S fiom all machines on the ISP's netwoik othei than the ISP's own mail seiveis
anu block inbounu TCP2S tiaffic, which can theieby ieuuce the tiansmission of spam
fiom infecteu computeis thiough mail seiveis outsiue the ISP's netwoik |NSAAWu
Poit 2S Recommenuationj. It is impoitant to note that the blocking of SNTP on
TCP2S uoes not piohibit the customei fiom senuing email. Customeis aie geneially
instiucteu how to configuie theii mail clients to use the viable alteinative poits, such
as TCPS87 foi email submission.
Bowevei, the IETF notes that blocking of outbounu TCP2S can be pioblematic foi
some useis anu that theie aie alteinative establisheu piactices foi contiolling abuse of
poit 2S, incluuing the use of pioxies anuoi iate limits, anu thus offeis no
iecommenuation conceining the blocking of TCP2S |RFCSu68j. In auuition, blocking
TCP2S not only blocks communication between email clients anu seiveis on TCP2S,
but may also piohibit the ISP's useis fiom iunning theii own mail seiveis.
Nost Inteinet seivice pioviueis implement outbounu TCP2S blocking aujacent to the
customei's point of connectivity to the netwoik as illustiateu in Figuie S, in oiuei to
pievent senuing of spam SNTP mail fiom customei computeis, while some seivice
pioviueis only block outbounu TCP2S foi those customeis suspecteu of senuing
spam. Some seivice pioviueis may also implement inbounu TCP2S blocking to
piohibit SNTP tiaffic uiiecteu towaiu the ISP's useis fiom souices outsiue the ISP's
netwoik. Some seivice pioviueis that block TCP2S will iemove this block foi
inuiviuual useis upon iequest (by the customei), while otheis will not.



]*,6$1 S8 C3>0 D'#()17 >% 9"@ #+ L9"<OTF
L;1 (#036%1$ *+/1(%*#+ *5 +#% (#$$1(%17 D6% $>%;1$ %;1 +1,>%*B1 *03>(% #+ #%;1$5 *5 0*%*,>%17F
!"#$
&'()'(
*+,-.,
/012(0$$'(
&3"4
,"(5'2
!"#$%&"
(#)$%*"#
+",-)#.
612'(7
8011'82
90:2'(
612'(7
8011'82
90:2'(
.;5'
90:2'(
.;5'
90:2'(
&2'3 <= /01)20* 3)0,#)4
)# 52,1)20* 657 &8"&. %0
&2'3 >= !9:; <"0, ,)
=:%4 !"#$"#<
&3"4
,"(5'2
&3"4
,"(5'2
*+,-.,
8043:2'( ?0(
@'1;#15 &3"4
+:2A0:1; ,/BC>D
&2'3 E= ()#, 64)&. :, 3(> 9#"$"0,<
<9:; ?#); #":&8%0@ =:%4 !"#$"#<
/B.
/B.
/B.
1u
SFMFOF W*($#5#/% 2"9 ` L9"<MST >+7 .["<MST

Anothei well-known poit that many ISPs block is TCP1SS, associateu with Niciosoft's
Remote Pioceuuie Call (NS RPC). NS RPC utilizes TCP1SS anu 0BP1SS foi
communication between clients anu seiveis anu between clients anu othei clients.
vulneiabilities in Niciosoft's RPC coue weie exploiteu by a numbei of laige-scale Inteinet
viiuses incluuing the Blastei anu Reatle woims. The mechanism was also exploiteu as a
means of ueliveiing spam using popup messages. The impact of the Blastei woim in 2uuS
was laige enough to negatively impact a numbei of ISP netwoiks. As a iesult many ISPs
implementeu TCP1SS anu 0BP1SS blocking as a uefensive measuie to pievent theii
customeis fiom piopagating the viius.
SFMFSF ?1%&4PC >+7 CW& ` L9"<.["MSa >+7 L9"<UUT

Two auuitional well-known poits that many ISPs block aie TCP1S9 anu TCP44S.
NetBI0S anu Seivei Nessage Block (SNB), two seivices associateu with the Niciosoft
0peiating System, use these poits.

The NetBI0S seivice was oiiginally uevelopeu foi the IBN Peisonal Computei anu was
latei auopteu by Niciosoft's NS-B0S 0peiating System anu subsequent veisions of the
Niciosoft Winuows softwaie. NetBI0S was oiiginally a Local Aiea Netwoik seivice anu
latei extenueu to suppoit TCPIP foi Inteinet opeiation |RFC1uu1j |RFC1uu2j. NetBI0S
incluues naming, connection-oiienteu anu connectionless seivices, anu piomotes
communication among tiusteu netwoik uevices incluuing file shaiing, piintei shaiing, etc.
NetBI0S utilizes 0BP1S7 anu 0BP1S8 as well as TCP1S9 foi communication. TCP1S9
applies specifically to the session connectivity seivice pioviueu in the NetBI0S piotocol
suite.

The SNB piotocol opeiating on TCP44S is typically consiueieu in the same categoiy as
NetBI0S baseu on its use in Niciosoft Winuows softwaie. The SNB piotocol is closely
associateu with NetBI0S foi file anu piintei shaiing among a gioup of computeis iunning
the Niciosoft Winuows 0S. Secuiity vulneiabilities have been founu with both SNB anu
NetBI0S that allow iemote useis to gain contiol oi execute malwaie on unpiotecteu
computeis in home netwoiks. Combineu with the fact that these piotocols aie
pieuominately useu foi communication among uevices within the home netwoik anu not
foi shaiing of seivices ovei the Inteinet, many opeiatois have chosen to block
communication uiiecteu to these poits to piotect customei computeis fiom malicious
actois exteinal to theii netwoik. Some seivice pioviueis block both inbounu anu outbounu
poits in these ianges, while othei seivice pioviueis uo not block these poits at all. If these
poits aie blockeu, then a usei will finu that file anu piintei shaiing will be moie uifficult to
accomplish to oi fiom a iemote uestination. Theie aie alteinative iemeuies to blocking
these poits, most notably thiough opeiating system patches anu thiough uiiect contiol
ovei these poits by each usei on each of theii computeis; howevei, many useis uo not
apply secuiity patches in a timely fashion anu uo not piopeily configuie poits on theii
computeis.
11

SFMFUF C*03'1 ?1%E#$) W>+>,101+% "$#%#(#' IC?W"J ` L9"<.[" MVM<MVO

Simple Netwoik Nanagement Piotocol (SNNP) has been subject to wiuespieau abuse,
paiticulaily foi amplification BBoS attacks that take auvantage of the ielative ease of
spoofing the souice auuiess of 0BP packets, anu is blockeu by some ISPs. Please iefei to a
iecent BITAu papei foi moie infoimation on SNNP abuse |BITAu SNNP Repoitj.
SFMFTF ?1%E#$) W>+>,101+% "#$%5

Anothei categoiy of poits that aie blockeu by some ISPs suppoit netwoik management
tiaffic that can be consiueieu haimful oi ueemeu inappiopiiate when oiiginating fiom a
customei, unless explicitly peimitteu by the ISP. Piotocols that fall into this categoiy
incluue iouting piotocols oi netwoik management piotocols oiiginating fiom the
customei's equipment anu uiiecteu upstieam towaiu the ISP's ioutei. Examples of these
piotocols incluue Bynamic Bost Configuiation Piotocol (BBCP) anu Routing Infoimation
Piotocol (RIP). BBCP foi IPv4 opeiates on 0BP67 anu 0BP68. BBCP foi IPv6 opeiates on
0BPS46 anu 0BPS47. RIP opeiates on 0BPS2u. Some ISPs implement poit blocks that
aie stiictly uesigneu to piohibit a customei's misconfiguieu netwoik uevice fiom
impeisonating an ISP's BCBP seivei. Similaily, ISPs may implement poit blocks to pievent
a customei's netwoik uevice fiom attempting to use the RIP piotocol uiiecteu at the ISP. In
both the BCBP anu RIP use cases, the customei's tiaffic is uiiecteu at the ISP's netwoik
equipment anu not the Inteinet. The blocking of these poits is unlikely to have a negative
impact on useis.
SFMFVF L1$05 #/ C1$B*(1 @+/#$(101+%

Some poits aie blockeu to enfoice an ISP's teims of seivice. The most common example of
this type of poit blocking conceins Bypeitext Tiansfei Piotocol (BTTP), an application
piotocol wiuely useu on the Woilu Wiue Web to iequest anu to tiansmit web pages. BTTP
was stanuaiuizeu by the IETF anu the Woilu Wiue Web Consoitium, anu is most commonly
useu ovei TCP8u |RFC2616j. Blocking inbounu TCP8u pievents a customei fiom hosting
a web page, but uoes not pievent the customei fiom suifing the web.

BTTP can use a numbei of poits, but TCP8u is the uefault poit anu most commonly useu.
A usei's web biowsei thus usually tiansmits iequests foi web pages to the iemote seivei
using a uestination poit of TCP8u, anu ieceives web pages using othei poits.

ISPs that block inbounu TCP8u commonly justify the piactice as eithei a secuiity concein
oi enfoicement of theii teims of seivice. The common secuiity justification is that blocking
inbounu TCP8u stops malicious tiaffic, such as the Coue Reu woim, that attempts to infect
a computei thiough this poit. The teims of seivice justification is that blocking inbounu
12
TCP8u pievents useis fiom iunning web seiveis, which may be piohibiteu by the ISP's
teims of seivice foi consumei-giaue Inteinet access.

Bowevei, both justifications have weakeneu ovei the past few yeais. The secuiity concein
foi TCP8u can be pieventeu by piopei configuiations of the usei's fiiewall anuoi
computei opeiating system anu thus many ISPs no longei block TCP8u. While many ISPs
pieviously useu theii iespective teims of seivice to piohibit consumeis fiom iunning web
seiveis, eithei to manage upstieam capacity oi to uiffeientiate consumei Inteinet access
fiom business Inteinet access, some ISPs now use uiffeient methous to uiffeientiate
seivices. Thus, blocking of inbounu TCP8u has pieviously been moie common than it is
touay, anu most ISPs no longei block TCP8u |Netalyzij.
SFOF -'%1$+>%*B15 %# "#$% &'#()*+,

As the above sections have uemonstiateu, theie aie a vaiiety of uiffeient ciicumstances
anu secuiity thieats that may pioviue motivations foi ISPs to institute poit blocking. As
such, the alteinative appioaches available foi iesolving any paiticulai pioblem will uepenu
on the pioblem itself. Foi example, many of the vulneiabilities uiscusseu above coulu also
be iesolveu by applying softwaie upuates, patching opeiating systems, installing consumei
fiiewalls, oi upgiauing home equipment. Bowevei, these alteinative solutions cannot
typically be implementeu iapiuly at a laige scale, anu in many cases aie outsiue the contiol
of the ISP. Whethei consumeis oi ISPs puisue these alteinative solutions, anu whethei the
alteinatives effectively ieuuce the iisks that coulu otheiwise be mitigateu by poit blocking,
uepenus on the ease-of-use anu costs of the alteinatives.
SFSF "1$5*5%1+% Y1$565 L103#$>$: &'#()*+,

Poit blocking can be implementeu tempoiaiily on a shoit-teim basis oi peisistently foi an
extenueu uuiation. Tempoiaiy blocking is usually uone foi secuiity ieasons, with the block
typically iemaining in place until the secuiity thieat is eliminateu oi substantially lesseneu.
The vulneiability can be eliminateu oi ieuuceu ovei time thiough softwaie upuates to the
vulneiable uevices, changes in technology oi elimination of uepieciateu equipment. The
time scale seen foi tempoiaiy blocks ianges fiom houis to weeks.

In some cases it may piove impiactical oi impossible to iemove these tempoiaiy poit
blocks. The examples of poit blocking uetaileu above in Section S.1 aie tempoiaiy tactical
blocks that evolveu into peisistent blocks, with uuiations now measuieu in yeais. These
peisistent blocks auuiess known vulneiabilities that, foi vaiious ieasons, eithei cannot oi
will not be coiiecteu in the neai futuie. Some of these vulneiabilities can only be auuiesseu
thiough funuamental aichitectuial ieuesign of the Inteinet.

1S
SFUF 9#+5*71$>%*#+5 /#$ [*//1$1+% L:315 #/ ?1%E#$)5 >+7 ?1%E#$) -$(;*%1(%6$15

As noteu in Section 2.1, ISPs may take a uiffeient appioach to poit blocking uepenuing on
the type of customeis they seive, oi the type of netwoik they iun. It is impoitant to
unueistanu that ISPs implement poit blocking to uiffeient extents on uiffeient types of
netwoiks.

Enteipiise-focuseu ISPs geneially implement little to no poit blocking uue to the technical
sophistication of theii enteipiise customeis, while consumei-focuseu netwoiks geneially
implement poit blocking moie often, as theii customeis aie typically less technically
sophisticateu anu unawaie of secuiity thieats anu vulneiabilities.

Foi a numbei of ieasons, cellulai opeiatois aie moie sensitive than wiieline opeiatois to
attacks anu abuse that cieate laige tiaffic volumes. As a iesult, some wiieless caiiieis may
be moie aggiessive than wiieline caiiieis in theii use of secuiity mitigation tactics,
incluuing poit blocking, because: (1) cellulai uata netwoiks geneially have less available
banuwiuth than wiieline bioaubanu netwoiks, uue to the limitations of iauio; (2) wiieless
uevices have limiteu batteiy powei to expenu on the auuitional piocessing iequiieu to
uefenu against tiaffic cieateu thiough attacks oi abuse; anu (S) wiieless customeis aie
moie often subject to usage-baseu billing plans, wheie they aie chaigeu foi the amount of
uata useu.
SFTF Q;1$1 7# "#$% &'#()5 P((6$R

Poit blocking can be implementeu at many uiffeient places in the netwoik path. In a
iesiuential netwoik, the most common places aie typically locateu at the:

(1) Seivice Pioviuei's Netwoik Inteiconnection Links between ISPs
(2) Seivice Pioviuei's Customei Facing Netwoik Links
(S) Customei Piemises Equipment (CPE)

With communications occuiiing in two uiiections (to anu fiom the uevice), blocking can
also be uiiectional. Poit blocking policies can, anu often uo, uistinguish between inbounu
anu outbounu tiaffic. Since the session is iuentifieu by a paii of auuiesses anu a paii of poit
numbeis, anu tiaffic fiom a client to a seivei always uses the iuentifying poit numbei as its
uestination poit, it is stiaightfoiwaiu to pievent sessions in one uiiection while peimitting
them in the othei.
SFTFMF ?1%E#$) 4+%1$(#++1(%*#+ "#$% &'#()5

The fiist common location poit blocking can be implementeu in an ISP's netwoik is at the
netwoik inteiconnection links to othei ISPs. Blocking inbounu tiaffic at this location
iemoves the ability of souices outsiue the ISP's netwoik to senu tiaffic on these poits to the
ISP's useis. Blocking outbounu tiaffic on specific poits at this location iemoves the ability
14
of the ISP's useis to senu tiaffic on these poits to uestinations outsiue the ISP's netwoik.
Bowevei, neithei inbounu noi outbounu poit blocking at this location iemoves the ability
of the ISP's useis to senu tiaffic on these poits to othei useis of the same ISP.

Fiom an ease of management peispective, this is the best location in the ISP's netwoik foi
implementation as it is the quickest to ueploy because it iequiies the fewest numbei of
inteifaces to piovision anu manage. Blocking at the netwoik inteiconnect links effectively
piotects against exteinal thieats because it impacts all of the exteinal tiaffic.

As shown in Figuie 4 howevei, the implementation of poit blocking at these locations uoes
not piotect the ISP's customeis fiom one anothei. In auuition, these links aie also typically
laige capacity links, anu while touay's iouteis aie capable of implementing poit blocking
without a peifoimance impact, histoiically that has not always been the case.



]*,6$1 U8 C3>0 D'#()17 >% 4+%1$(#++1(% 2#6%1$ L9"<OTF
L;1 (#036%1$ *+/1(%*#+ *5 +#% (#$$1(%17 >+7 *5 >''#E17 %# *03>(% 651$5 #+ %;1 C1$B*(1 "$#B*71$ +1%E#$)F
"#$% D'#()*+, #+ %;1 4+%1$(#++1(% 2#6%1$ #+': ;1'35 %>$,1%5 %;>% >$1 +#% 51$B*(1 3$#B*71$5F
SFTFOF 965%#01$ ]>(*+, ?1%E#$) 9#++1(%*#+ "#$% &'#()5

The seconu common location to implement poit blocking in an ISP's netwoik is at the
customei aggiegation iouteis on the customei facing links. The effect of blocking tiaffic at
this location vaiies uepenuing on the type of netwoik. In some netwoiks inbounu poit
blocking will pievent any tiaffic on that poit fiom ieaching the customei, while in othei
netwoiks it will allow tiaffic fiom only othei customeis in that local aiea. Likewise in some
netwoiks an outbounu block will pievent all outbounu tiaffic on that poit anu in otheis
will still allow outbounu tiaffic on that poit to othei customeis in that aiea. In contiast to
!"#$
&'()'(
*+,-.,
/012(0$$'(
&3"4
,"(5'2
!"#$%&"
(#)$%*"#
+",-)#.
612'(7
8011'82
90:2'(
612'(7
8011'82
90:2'(
.;5'
90:2'(
.;5'
90:2'(
&2'3 <= /01)20* 3)0,#)4
)# 52,1)20* 657 &8"&. %0
&2'3 >= !9:; <"0, ,)
=:%4 !"#$"#<
&3"4
,"(5'2
&3"4
,"(5'2
*+,-.,
8043:2'( ?0(
@'1;#15 &3"4
+:2A0:1; ,/BC>D
&2'3 E= =:%4 !"#$"#<
94:&" !9:; %0 =:%4 1)>
&2'3 F= ?<"#<
#"&"%$" !9:;
/B.
/B.
/B.
1S
the fiist location uesciibeu above, poit blocking at this seconu location iequiies blocking
on substantially moie inteifaces.

Nanagement of the poit blocking policy is moie complex anu time consuming at this
location uue to the incieaseu numbei of inteifaces, but it has histoiically hau less (oi no)
impact on the peifoimance of the netwoik as these inteifaces aie lowei capacity. If poit
blocking is intenueu to auuiess secuiity conceins, then the piimaiy ieason many ISPs have
chosen this location to implement poit blocking is that it pioviues moie piotection to
customeis than the Inteiconnection link location, anu pioviues goou-to-auequate
piotection against malicious customeis that woulu haim oi buiuen the netwoik. This
location allows the ISP to both piotect the customei fiom thieats on the Inteinet anu
piotect the Inteinet fiom thieats fiom customeis, as seen in Figuie S.




]*,6$1 T8 C3>0 D'#()17 >% @7,1 =*+) #6%D#6+7 L9"<OTF
L;1 (#036%1$ *+/1(%*#+ *5 +#% (#$$1(%17 D6% %;1 53>0 *5 3$1B1+%17 /$#0 $1>(;*+, %;1 0>*' 51$B1$F
SFTFSF 965%#01$ "$10*515 @H6*301+% "#$% &'#()5

The thiiu location wheie poit blocking is commonly implementeu in an ISP's netwoik is
within customei piemises equipment (CPE), e.g., cable oi BSL mouems anuoi home
iouteis oi gateways. If inbounu poit blocking is implementeu in equipment at the
customei's piemises, this iemoves the ability of souices outsiue the customei's piemises to
senu tiaffic to the customei on these poits. Blocking outbounu tiaffic on specific poits at
this location iemoves the ability of an ISP's customei to senu tiaffic on these poits to
uestinations outsiue the customei's piemises. None of the ISP implementeu blocks affect
tiaffic within the home.
!"#$
&'()'(
*+,-.,
/012(0$$'(
&3"4
,"(5'2
!"#$%&"
(#)$%*"#
+",-)#.
612'(7
8011'82
90:2'(
612'(7
8011'82
90:2'(
.;5'
90:2'(
.;5'
90:2'(
&3"4
,"(5'2
&3"4
,"(5'2
*+,-.,
8043:2'( <0(
='1;#15 &3"4
+:2>0:1; ,/?@AB
/?.
/?.
/?.
&2'3 CD /01)20* 3)0,#)4
)# 52,1)20* 657 &8"&. %0
&2'3 AD !9:; <"0, ,)
=:%4 !"#$"#<
&2'3 ED ()#, 64)&. :, "*>" #)2,"# 9#"$"0,<
<9:; ?#); #":&8%0> =:%4 !"#$"#<
16

Poit blocking on customei piemises equipment uistiibutes the piocessing loau iequiieu to
implement poit blocking. This location is also the most gianulai of the thiee common
locations, in that it allows an ISP to apply poit blocking iules on a pei customei basis.
Bowevei, at least one tiaue-off is the high cost of auministeiing poit blocking iules on what
coulu potentially be millions of uevices iathei than a few thousanu inteifaces.

The viability of this thiiu location can vaiy uepenuing on the type of equipment locateu at
the customei piemises, but especially on the owneiship oi "contiol" of the equipment - as
some equipment is pioviueu by the ISP anu some by the customeis themselves, with
uiffeient levels of contiol oi owneiship by each gioup. Below aie two example scenaiios:

C(1+>$*# M - 9"@ *5 0>+>,17 D: %;1 (65%#01$

In this scenaiio, the ISP uoes not pioviue a home ioutei oi customei piemises equipment
to the customei, oi the ISP pioviues the uevice but uoes not manage the secuiity policy on
the uevice. Nany times, the customei will puichase a home ioutei that typically
implements a ceitain level of poit blocking by uefault. Bowevei, since the ISP uoes not
manage the equipment, the ISP will not have the ability to implement poit blocking at this
location. Fiom the peispective of the ISP, this scenaiio piesents a high iisk to both the
customei anu the netwoik. Fiom the peispective of the customei this offeis the highest
amount of fieeuom, but also implies that the customei auopts the associateu iisk.

C(1+>$*# O - L;1 4C" 3$#B*715 > 71B*(1 %;>% *5 (>3>D'1 #/ 3$#B*7*+, 3#$% D'#()*+, >+7
*5 5#'1': 0>+>,17 D: %;1 4C"

In this scenaiio the ISP maintains the ability to contiol the poit blocking policy (piotecting
the customei anu pieventing malicious customei tiaffic) while still ietaining the flexibility
to mouify the iules in some instances on a case-by-case basis if iequesteu by the customei.
Fiom the ISPs peispective this affoius all the piotection of poit blocking in the netwoik.
Fiom the peispective of the customei, this scenaiio may ieuuce the iisk to the customei,
but may also ieuuce the fieeuom accoiueu to the customei if the ISP uoes not allow opt-out
fiom poit blocking.

In geneial, if a customei manages the CPE uevice in his oi hei home, the ISP has no ability
to piovision poit blocking iules in the uevice anu may theiefoie iesoit to implementing
poit blocking in the netwoik if no ieasonable alteinatives aie available. In cases wheie the
ISP manages the CPE anu has the ability to apply poit blocking iules in the uevice it may
allow the ISP moie flexibility in implementing poit blocking policies anu opt-out.

17
SFVF P3%GP6% P3%*#+5

As illustiateu in the pievious sections, theie aie seveial technical vaiiables to consiuei foi
when anu wheie a poit block is applieu, anu whethei oi not an opt-out solution is offeieu
to useis. Beyonu the technical vaiiables, auuitional consiueiation is given to: (1) financial
conceins, (2) opeiational factois (oveiheau of managing the potential multituue of
inuiviuual policies), (S) Inteinet ieputation (allowing cybei attacks to oiiginate fiom the
seivice netwoik can impact all of the ISP's useis), anu (4) legal conceins (iisk of applying
the wiong policies to the wiong people).

The impact of an ISP's poit blocking policy on the usei will vaiy accoiuing to which poits
aie blockeu. In some cases, e.g., blocking of netwoik management poits, the poit blocking
policy is unlikely to have a negative impact on the usei even if opt-out is not alloweu. In
othei cases, wheie the poit blocking policy may negatively impact some useis, allowing foi
an opt-out policy coulu help to minimize any negative effects.

Bue to the enteipiise anu commeicial customeis' high level of technical sophistication,
these customeis often aie tiusteu by theii ISP to connect to its netwoik without the neeu
foi poit blocking iules set by the ISP. In a similai mannei, theie can be a ceitain peicentage
of iesiuential customeis with the same level of technical sophistication - who may waiiant
a similai appioach.

The uecision of whethei anu how to allow a usei to opt-out of some oi all of the poit
blocking iules within an ISP's poit blocking policy may uepenu on the ISP's iationale foi
the block, wheie anu how the poit block is implementeu, anu most impoitantly the ISP's
netwoik uesign. The capability anu the cost of implementing an opt-out option vaiy gieatly
fiom ISP to ISP. Some ISPs will finu opt-out technically impossible, some ISPs will finu opt-
out possible but costly, anu some may finu opt-out ielatively easy. While some of the
factois in this uecision aie highlighteu in this iepoit (such as wheie the blocks aie
implementeu), eveiy ISP will face its own specific complexities (such as IT uesign). Foi
these ieasons some ISPs allow foi opt-out, some iequiie the usei to move to a business
seivice (which aie uesigneu to not use poit blocking), anu otheis uo not allow opt-out at
all.


18
UF 403'*(>%*#+5 >+7 9#+(1$+5 21'>%*+, %# "#$% &'#()*+,

The implications anu conceins ielateu to poit blocking may uepenu upon wheie a
stakeholuei "sits" in the Inteinet ecosystem. An ISP may see poit blocking as an
inuispensible tool while an application uevelopei may see poit blocking as a challenge.
0seis may have uiffeient peiceptions oi conceins baseu upon theii level of technical
expeitise. This section will offei some of these uiffeiing peispectives, as well as touch on
some of the secuiity consiueiations that go along with poit blocking.
UFMF 9#+(1$+5 #/ 4+%1$+1% @(#5:5%10 C%>)1;#'71$5
UFMFMF 4+%1$+1% C1$B*(1 "$#B*71$5

The Inteinet was built aiounu the piemise of an open anu shaieu enviionment. Nany eaily
Inteinet piotocols weie uesigneu with limiteu oi no secuiity measuies built into theii basic
communications. Touay, applications that leveiage these piotocols have inheiiteu theii
minimal secuiity chaiacteiistics.

Nany ISPs implement poit blocking to auuiess some oi all of the long-teim pioblems
uiscusseu in Section S.1. If left unblockeu, these aie thieats that can cause an inciease in
spam oi can compiomise useis' infoimation. Fiom the peispective of most consumei ISPs,
the implementation of these poit blocks can uiamatically ieuuce suppoit costs (less
customei calls, less spam complaints, etc.) anu iesult in minimal oi no inconvenience to
most useis.

Nost ISPs will also use poit blocking as a means to mitigate a shoit-teim, oi what is hopeu
to be a shoit-teim, thieat. These thieats geneially fall into the uenial of seivice (BoS)
categoiy. Some goou examples of this aie SNNP to pievent SNNP-amplifieu Bistiibuteu
Benial of Seivice (BBoS) attacks, anu some woims like Blastei. While poit blocking is not a
silvei bullet, anu uoes nothing to pievent poit-agile attacks, it can be a viable shoit-teim
mitigation step foi some attacks until a long-teim solution is founu.

Poit blocking is useu by a few ISPs to enfoice teims of seivice. Some ISPs offei uiffeient
levels of seivice such as consumei anu business anu can uiffeientiate those seivices by
allowing one to host seiveis anu anothei that cannot. The numbei of ISPs that use poit
blocking in this fashion has ueclineu in iecent yeais, anu theie aie only a few ISPs left
implementing this piactice.

Bistoiically, theie have been instances of ISPs using poit blocking to block banuwiuth-
intensive oi competing applications. While these aie the implementations that uiaw the
most attention, iie, anu piess, they have been veiy iaie.

Consumei ISPs seive a vaiiety of customei types ianging fiom a majoiity of customeis who
aie less technically sophisticateu to a minoiity of 'powei useis'. 0nfoitunately, theie aie a
numbei of bau actois that connect to the Inteinet anu a laige numbei of customeis that uo
19
not auequately piotect themselves. ISPs must walk a fine line of tiying to cieate a seivice
that will piotect the aveiage usei while not hinueiing the powei usei. In geneial, ISPs
believe poit blocking is a ciitical tool in oiuei to cieate the secuie enviionment the aveiage
usei wants, anu that poit blocking foi secuiity ieasons iaiely causes pioblems foi
application uevelopeis oi powei useis.
UFMFOF -33'*(>%*#+5 >+7 -33'*(>%*#+ "$#B*71$5
Iueally, application pioviueis woulu be able to uesign theii applications unuei the
assumption that the entiie poit numbei space is available to them. Bowevei, poit
blocking, togethei with NAT, fiiewalls, anu othei technologies, geneially seives to
ieuuce the numbei of available poits.
Poit blocking can complicate application uesign anu uevelopment anu cieate unceitainty
about whethei applications will function piopeily when they aie ueployeu. Although poit
blocking may be intenueu to block only unwanteu tiaffic, it may also inauveitently block
wanteu tiaffic by mistake. This inauveitent blocking of wanteu tiaffic may leau application
uevelopeis to move theii applications to poits that aie not blockeu. Bowevei, the
availability of any paiticulai poit - outsiue of the "well-known" poits - can be somewhat
unceitain, as uiffeient netwoik opeiatois can inuepenuently choose to block oi unblock
inuiviuual poits. Thus, applications uesigneu to function acioss multiple IP netwoiks must
take into account the potential foi poit unavailability oi unieliability (although
applications may neeu to uo so anyway, peihaps moie so because of the pievalence of
pioxies, fiiewalls, NAT, anu LSN iathei than ISP-baseu poit blocking).
Some application pioviueis may be conceineu about ISPs intentionally blocking theii
applications foi anti-competitive puiposes. Foi example, in 2uuS the ISP Nauison
Rivei was founu to be blocking poits associateu with inuepenuent voice ovei IP
seivices that weie in competition with the ISP's own voice telephony seivices
|Nauison Riveij. Poit blocking has also been useu foi the puipose of limiting tiaffic
fiom applications associateu with high tiaffic volumes, such as peei-to-peei file-
shaiing applications |Towaiu Quantifying Netwoik Neutialityj. Such conceins have
causeu some application uevelopeis to auopt some of the mitigation measuies
uiscusseu below, such as uesigning theii applications to be poit-agile oi using poits
unlikely to be blockeu.
Whethei anu how an application pioviuei chooses to mitigate the effects of poit
blocking will uepenu on a numbei of factois, incluuing the size of the impact on the
application's usei base, the expecteu uuiation of potential blocks, anu the iationale
behinu the blocks. A shoit-teim block may not iequiie mitigation, wheieas blocks that
affect many useis anu aie expecteu to iemain in place ovei the long teim may tiiggei
moie extensive iesponses. If blocking is conuucteu foi non-technical business ieasons,
application uevelopeis may choose to contest those poit blocks in business
negotiations, iegulatoiy foiums, oi in public iathei than ueveloping mitigations.
2u
Theie aie a numbei of mitigation tactics available. At the veiy least, application
pioviueis may choose to uevelop usei uocumentation oi customei seivice expeitise to
help theii useis unueistanu the natuie of the pioblem anu potential woikaiounus, if
available. Anothei tactic may be to ieuesign some applications to use uiffeient poits,
to conuuct connectivity testing befoie establishing connections, to be poit-agile, oi to
make poit selection usei-configuiable. Whethei any of these options aie available may
uepenu on whethei ie-uesigneu veisions of the application can be maue compatible
with existing veisions.
These mitigations may iaise auuitional issues foi application pioviueis. Intiouucing
connectivity checks can impact peifoimance, causing applications to take a
significantly longei amount of time to establish initial connections. Shifting to poits
that aie alieauy in common use by othei applications anu piotocols can complicate
application uesign. Foi example, some netwoiks use pioxies to valiuate that BTTP
tiaffic confoims to specific piotocol semantics; shifting non-BTTP tiaffic to poit 8u
may theiefoie iesult in the loss of paiticulai functionality oi may pievent the use of
non-TCP tianspoits. The implications of movement towaius the majoiity of
applications iunning on a small numbei of poits aie unceitain as of yet. Such a change
coulu aiguably uampen the "uiveisity" oi limit the numbei of uiffeient types of
applications that can peifoim well on the netwoik, since new applications may be
expecteu to confoim to the way that existing applications function on the same poit
(foi example, expecting that all TCP 8u tiaffic behaves like BTTP).
Poit blocking on iesiuential netwoiks may paiticulaily constiain inuepenuent oi non-
commeicial application uevelopeis, many of whom expeiiment with new application
featuies anu functionality using iesiuential bioaubanu connections. Although the iise
of clouu computing iesouices may pioviue these uevelopeis with a way to ciicumvent
iestiictions imposeu on theii home connections, poit blocking on iesiuential netwoiks
may still put limits on local testing anu uevelopment.
Poit blocking is among a set of tools anu tactics (NAT being the othei majoi example)
that can unueimine the oiiginal intent of poits: to pioviue ieliable local auuiesses so
that enu systems coulu manage multiple communications at once. In geneial, blocking
poits uoes not cause applications to vanish fiom the Inteinet, but iathei inuuces a cat-
anu-mouse game wheieby application uevelopment eithei becomes incieasingly
complex so as to evaue poit blocking thiough poit-agnosticism, oi uiives application
tiaffic to a uwinuling set of poits that aie ieliably kept open acioss most netwoiks.
These effoits in tuin cause ISPs to seek incieasingly application-awaie means of
iuentifying anu thwaiting unwanteu tiaffic.
UFMFSF 9#+5601$ #$ @+7G.51$ 9#+(1$+5
Poit blocking can cause applications to not function piopeily, oi "bieak", by
pieventing them fiom using the poits they weie uesigneu to use. Impoitantly, it may
not be obvious to Inteinet useis why theii affecteu application is not woiking because
21
the application may simply be unable to connect oi fail silently. If eiioi messages aie
pioviueu, those messages may not contain specific uetails about the cause of the
pioblem. 0seis may seek assistance fiom the ISP's customei seivice, online
uocumentation, oi othei knowleugeable souices if they cannot uiagnose the pioblem
themselves. The piocess of uiagnosis is fuithei complicateu by the fact that the
pioblem coulu alteinatively be causeu by home netwoiking equipment oi a softwaie-
baseu poit block.
0seis' ability to iesponu to poit blocking uepenus on theii technical sophistication
anu the extent to which woikaiounus aie available. 0veicoming the poit block may
iequiie installing a softwaie upuate, changing a configuiation setting, iequesting an
opt-out fiom the ISP, oi upgiauing the level of seivice (fiom iesiuential to business,
foi example). If these options aie not available, oi if useis lack the knowleuge oi
willingness to puisue them, they may be pieventeu fiom using the blockeu application
altogethei, oi they may have to switch to a uiffeient application oi a uiffeient netwoik
(fiom wiieu to wiieless, foi example). Wheie poit blocking is useu to funnel tiaffic to
an ISP's own infiastiuctuie (by limiting outbounu TCP 2S tiaffic unless the tiaffic is
uestineu foi the ISP's own mail seiveis, foi example), it effectively ieuuces the set of
application pioviuei choices available to useis (all othei mail seiveis, foi example).
The tienu towaius poit oveiloauing, oi in othei woius the fact that many uiffeient
applications now use the same poit, means that tiaffic iuentification anu classification
neeu to take place at the application layei. This may have implications foi usei contiol
anu piivacy, because poit oveiloauing motivates the ueployment of Beep Packet
Inspection (BPI) anu othei content-awaie technologies that can be useu to iuentify
anu manage specific applications oi communications.
Blocking of ceitain poits coulu also have moie seiious iepeicussions foi usei piivacy anu
secuiity. Foi example, blocking poit 44S woulu effectively pievent secuie BTTP
communication anu the ability of useis to connect with the laige numbei of sites that
iequiie Bypeitext Tianspoit Piotocol Secuie (BTTPS). Poit blocking useu in this capacity
is an attempt to keep communications in cleai text (peihaps foi inspection oi suiveillance
puiposes). This poit has been blockeu by ISPs outsiue of the 0S, but not uomestically.

TF L1(;+*(>' Q#$)*+, N$#63 ILQNJ C6,,15%17 "$>(%*(15

While poit blocking can have positive secuiity benefits, it can affect how paiticulai Inteinet
applications function. Thus its use has the potential to be anti-competitive, uisciiminatoiy,
otheiwise motivateu by non-technical factois, oi constiueu as such. As a iesult, the
Bioaubanu Inteinet Technical Auvisoiy uioup (BITAu) has a numbei of suggesteu
piactices iegaiuing poit blocking on both wiieline anu wiieless netwoiks.
22
TFMF 4C"5 C;#6'7 -B#*7 "#$% &'#()*+, .+'155 ?# 21>5#+>D'1 -'%1$+>%*B15 -$1
-B>*'>D'1

BITAu iecommenus that ISPs avoiu poit blocking unless they have no ieasonable
alteinatives available foi pieventing unwanteu tiaffic anu piotecting customeis. Fuithei, if
poit blocking is ueemeu necessaiy, it shoulu only be useu foi the puiposes of piotecting
the implementing ISP's netwoik anu useis. Poit blocking shoulu not be useu foi ongoing
capacity management, oi to enfoice non-secuiity teims of seivice, oi to uisauvantage
competing applications.

Poit blocking can cieate collateial uamage foi legitimate useis anu uses of the netwoik,
anu can complicate the uevelopment of applications. A numbei of applications (incluuing
many that pose secuiity thieats) have evolveu to become poit-agile oi to use poits that aie
unlikely to be blockeu, most commonly poits 8u anu 44S. As a iesult, the long-teim
effectiveness of poit blocking as a means to pievent unwanteu tiaffic is limiteu. 0n the
othei hanu, ISPs may view poit blocking as a simple anu poweiful way of hanuling secuiity
thieats, paiticulaily in the shoit teim. Bespite the negative impacts that may come with the
piactice, foi the time being its use may be consiueieu a necessity.

TFOF 4C"5 C;#6'7 "$#B*71 P3%GP6% "$#B*5*#+5

BITAu iecommenus that if an ISP can ieasonably pioviue theii useis with opt-out
piovisions oi exceptions to theii poit blocking policies, they shoulu uo so.

BITAu iecognizes the benefit of pioviuing opt out policies foi a subset of useis anu foi
ceitain poit blocking iules. Bowevei, the technical feasibility, auministiative complexity,
anu costs can vaiy gieatly uepenuing upon the implementation, incluuing the paiticulais of
the access netwoik technology (i.e. B0CSIS, BSL, LTE, etc.). Foi example, theie may be
cases wheie SNNP blocking is only feasible in an access ioutei oi othei aggiegation point,
some uistance fiom the usei's equipment, which may make pei-usei contiols exceeuingly
uifficult oi impossible. Thus, BITAu iecommenus that ISPs balance theii uecisions about
which poits to block with theii capabilities of offeiing opt-out.

TFSF 4C"5 C;#6'7 [*5('#51 "#$% &'#()*+, "#'*(*15

BITAu iecommenus that ISPs publicly uisclose theii poit blocking policies. The infoimation
shoulu be ieauily available to both customeis anu non-customeis alike, anu shoulu be as
infoimative anu concise as possible. Foi example, poit blocking policies coulu be pioviueu
on the ISP's public facing website, on a page ueuicateu to summaiizing oi uesciibing the
iespective ISP's netwoik management piactices.


2S
Foi peisistent poit blocks the infoimation shoulu incluue:

Poit numbei(s)
Tianspoit piotocol (e.g., TCP oi 0BP)
Application(s) noimally associateu with the poit(s) (e.g., SNTP)
Biiection of the block (outbounu oi inbounu)
Biief uesciiption of the ieason(s) foi the block (e.g., SPAN)
If opt-out piovisions aie available anu how to iequest such

This will give useis bettei infoimation with which to uiagnose pioblems, can bettei infoim
consumeis' uecision-making when choosing an ISP, anu can pioviue ciucial infoimation to
application uevelopeis.

Theie may be times when a secuiity inciuent will piompt the neeu foi an immeuiate anu
tempoiaiy poit block to be implementeu by an ISP in oiuei to piotect its customeis oi
piotect its netwoik. It may not be feasible to uisclose such blocks befoie they aie iemoveu.
Theie may also be times when the uisclosuie of poit blocking in iesponse to a paiticulai
attack may compiomise that secuiity mitigation.

TFUF 4C"5 C;#6'7 W>)1 9#006+*(>%*#+5 9;>++1'5 -B>*'>D'1 /#$ ]117D>()

BITAu iecommenus that ISPs pioviue a communications channel oi othei cleai methou foi
application pioviueis anu consumeis to pioviue feeuback to each ISP on its iespective poit
blocking policy - to uiscuss impacts causeu by poit blocking anu to consiuei othei possible
mitigations, among othei things. The communications channel oi othei cleai methous
shoulu be pioviueu wheie the poit blocking policies aie uiscloseu. ISPs shoulu be
ieasonably iesponsive to communications ieceiveu fiom application uevelopeis anu
consumeis, among othei things to uiscuss impacts causeu by poit blocking anu to consiuei
possible mitigations.

TFTF 4C"5 C;#6'7 21B*5*% L;1*$ "#$% &'#()*+, "#'*(*15 #+ > 21,6'>$ &>5*5

BITAu iecommenus that ISPs ievisit theii iespective poit blocking policies on a iegulai
basis to ueteimine whethei the thieats that iequiieu the poit blocking iules continue to be
ielevant, anu whethei theii policies shoulu be aujusteu accoiuingly. Some secuiity thieats
aie peimanent anu some aie tiansitoiy oi shoit-liveu. Items such as spam pievention by
blocking TCP2S aie expecteu to last quite some time, while otheis such as blocks to
pievent ceitain types of malwaie may be tempoiaiy anu can be fixeu ovei time with
softwaie patching.

24
TFVF "#$% &'#()*+, 26'15 /#$ 9#+5601$ @H6*301+% C;#6'7 &1 .51$ 9#+/*,6$>D'1

BITAu iecommenus that the poit blocking (oi fiiewall) iules of consumeis' home iouteis
shoulu be usei configuiable - whethei the iouteis aie pioviueu by the ISP oi puichaseu
sepaiately by the consumei. It is iecommenueu that the uocumentation pioviueu with
each unit infoim the consumei that poit blocking oi fiiewall iules have been implementeu,
uefault poits blockeu, anu how consumeis can mouify those iules.


2S
VF 21/1$1+(15

|BCPS8j Feiguson, P. anu B. Senie, "Netwoik Ingiess Filteiing: Befeating Benial of Seivice
Attacks which employ IP Souice Auuiess Spoofing", BCP S8, Nay 2uuu,
<http:tools.ietf.oightmlbcpS8>.

|BCP16Sj Cotton, N., L. Eggeit, }. Touch, N. Westeilunu, anu S. Cheshiie, "Inteinet Assigneu
Numbeis Authoiity (IANA) Pioceuuies foi the Nanagement of the Seivice Name anu
Tianspoit Piotocol Poit Numbei Registiy", BCP16S, August 2u11,
<http:tools.ietf.oightmlbcp16S>.

|RFC67Sj Ceif, v., Y. Balal, anu C. Sunshine, "Specification of Inteinet Contiol Piogiam",
RFC 67S, Becembei 1974, <http:tools.ietf.oightmlifc67S>.

|RFC768j Postel, }., "0sei Biagiam Piotocol", RFC 768, August 198u,
<http:tools.ietf.oightmlifc768>.

|RFC788j Postel, }., "Simple Nail Tiansfei Piotocol", RFC 788, Novembei 1981,
<http:tools.ietf.oightmlifc788>.

|RFC79Sj Postel, }., "Tiansmission Contiol Piotocol", RFC 79S, Septembei 1981,
<http:www.ietf.oigifcifc79S.txt>.

|RFC1uu1j Aggaiwal, A., et al., "Piotocol Stanuaiu foi a NetBI0S Seivice on a TCP0BP
Tianspoit: Concepts anu Nethous", RFC 1uu1, Naich 1987,
<http:www.ietf.oigifcifc1uu1.txt>.

|RFC1uu2j Aggaiwal, A., et al., "Piotocol Stanuaiu foi a NetBI0S Seivice on a TCP0BP
Tianspoit: Betaileu Specifications", RFC 1uu2, Naich 1987,
<http:www.ietf.oigifcifc1uu2.txt>.

|RFC1122j Biauen, R., "Requiiements foi Inteinet Bosts - Communications Layeis", RFC
1122, 0ctobei 1989, <http:tools.ietf.oightmlifc1122>.

|RFC2616j Fieluing, R., }. uettys, }. Nogul, B. Fiystyk, L. Nasintei, P. Leach, anu T. Beineis-
Lee, "Bypeitext Tiansfei Piotocol - BTTP1.1", RFC 2616, }une 1999,
<http:tools.ietf.oightmlifc2616>.

|RFC2827j Feiguson, P., B. Senie, "Netwoik Ingiess Filteiing: Befeating Benial of Seivice
Attacks Which Employ IP Souice Auuiess Spoofing", RFC 2827, Nay 2uuu,
<https:tools.ietf.oightmlifc2827>.

|RFC4271j Rekhtei, Y., T. Li, anu S. Baies, "A Boiuei uateway Piotocol 4 (BuP-4)", RFC
4271, }anuaiy 2uu6, < http:tools.ietf.oightmlifc4271>.

|RFCSu68j Butzlei, C., B. Ciockei, P. Resnick, E. Allman, T. Finch, "Email Submission
26
0peiations: Access anu Accountability Requiiements", RFC Su68, Novembei 2uu7,
<https:tools.ietf.oightmlifcSu68>.

|RFC62u4j Singh, B., W. Beebee, C. Bonley, B. Staik, anu 0. Tioan, "Basic Requiiements foi
IPv6 Customei Euge Routeis", RFC 62u4, Apiil 2u11,
<http:tools.ietf.oightmlifc62u4>.

|RFC6SSSj Cotton, N., et al., "Inteinet Assigneu Numbeis Authoiity (IANA) Pioceuuies foi
the Nanagement of the Seivice Name anu Tianspoit Piotocol Poit Numbei
Registiy," RFC 6SSS, August 2u11, <http:tools.ietf.oightmlifc6SSS>.

|RFC64u9j uellens, R., anu }. Klensin, "Nessage Submission foi Nail", RFC 64u9, Novembei
2u11, <http:tools.ietf.oightmlifc64u9>.


|BITAu Laige Scale NAT Repoitj Bioaubanu Inteinet Technical Auvisoiy uioup (BITAu),
"Implications of Netwoik Auuiess Tianslation (NAT)", Naich 2u12,
<http:www.bitag.oiguocumentsBITAu_TWu_Repoit-Laige_Scale_NAT.puf>.

|BITAu SNNP Repoitj Bioaubanu Inteinet Technical Auvisoiy uioup (BITAu), "SNNP
Reflecteu Amplification BBoS Attack Nitigation", Naich 2u12,
<http:www.bitag.oiguocumentsSNNP-Reflecteu-Amplification-BBoS-Attack-
Nitigation.puf>.

|Comcast Lettei on SNTP Poit 2Sj 0'Reiiuan, N., "0puateu Nanagement of SNTP Poit 2S",
August 1, 2u12, <http:coipoiate.comcast.comcomcast-voicesupuateu-
management-of-smtp-poit-2S>.

|NSAAWu Poit 2S Recommenuationj Nessaging Nalwaie Nobile Anti-Abuse Woiking
uioup (NSAAWu), "Nanaging Poit 2S foi Resiuential oi Bynamic IP Space Benefits
of Auoption anu Risks of Inaction", Becembei 2uuS,
<http:www.maawg.oigsitesmaawgfilesnewsNAAWu_Poit2SiecuS11.puf>.

|Nauison Riveij Feueial Communications Commission (FCC), "In the Nattei of Nauison
Rivei Communications, LLC anu Affiliateu Companies", Consent Beciee, BA uS-S4S,
Naich 2uuS, <http:hiaunfoss.fcc.goveuocs_publicattachmatchBA-uS-
S4SA2.puf>.

|Netalyzij 0niveisity of Califoinia - Beikeley, Inteinational Computei Science Institute,
Netalyzei", <http:netalyzi.icsi.beikeley.euu>.

|Netalyzi2u1uj Kieibich, C., N. Weavei, B. Nechaev, v. Paxson, "Netalyzei: Illuminating the
Euge Netwoik", Novembei 2u1u,
<http:www.icii.oigchiistianpublications2u1u-imc-netalyzi.puf>.

|Poit Numbei Registiyj Touch, }., N. Kojo, E. Leai, A. Nankin, K. 0no, N. Stiemeiling, anu L.
27
Eggeit, "Seivice Name anu Tianspoit Piotocol Poit Numbei Registiy", Naich 2u1S,
<http:www.iana.oigassignmentsseivice-names-poit-numbeisseivice-names-
poit-numbeis.xml>.

|Skype FAQj Skype, "Connection Pioblems: Which Poits Neeu to be 0pen to 0se Skype foi
Winuows Besktop", Apiil 2u1S, <https:suppoit.skype.comenfaqFA148which-
poits-neeu-to-be-open-to-use-skype-foi-winuows-uesktop>.

|Towaiu Quantifying Netwoik Neutialityj Beveily, R., S. Bauei, A. Beigei, "The Inteinet's
Not a Big Tiuck: Towaiu Quantifying Netwoik Neutiality", 2uu7,
<http:www.akamai.comultechnical_publicationstiuck-pamu7.puf>.

|SANSj SANS Institute, "Intiusion Betection FAQ: What Poit Numbeis Bo Well-Known
Tiojan Boises 0se.", Apiil 2u1S, <http:www.sans.oigsecuiity-
iesouicesiufaqouupoits.php>.

ZF N'#55>$: #/ L1$05

_#01 N>%1E>: [1B*(18 A netwoik element that cieates, connects to, oi extenus a
home netwoik foi a usei. These uevices can peifoim a iange of functions, such as
connecting to the Inteinet, cieating oi extenuing a wiieless netwoik, pioviuing
backup anu stoiage, etc. |See also RFC 62u4j

_LL" "$#A:8 A computei system oi an application that acts as an inteimeuiaiy foi
iequests fiom clients seeking iesouices fiom othei seiveis. A client connects to the
pioxy seivei, iequesting some seivice, such as a file, connection, web page, oi othei
iesouice available fiom a uiffeient seivei anu the pioxy seivei evaluates the
iequest as a way to simplify anu contiol its complexity.

4C" 4+%1$(#++1(%*#+ =*+)58 Foi the puipose of this uocument, the places (links)
wheie IP tiaffic is exchangeu between ISP netwoiks.

L$>+50*55*#+ 9#+%$#' "$#%#(#' IL9"J: A piotocol useu along with the Inteinet
Piotocol (IP) to senu uata in the foim of infoimation packets between computeis
ovei the Inteinet. While IP hanules the actual ueliveiy of the uata, TCP keeps tiack
of the inuiviuual packets that a message is uiviueu into foi efficient iouting thiough
the Inteinet. IP packets can be lost, uuplicateu, oi ueliveieu out of oiuei anu TCP
uetects these pioblems, iequests ietiansmission of lost uata, ieaiianges out-of-
oiuei uata, anu even helps minimize netwoik congestion to ieuuce the occuiience
of the othei pioblems. |See also RFC 67S et alj

.51$ [>%>,$>0 "$#%#(#' I.["J: A piotocol useu along with the Inteinet Piotocol
(IP) to senu uata in the foim of infoimation packets between computeis ovei the
Inteinet. In contiast to TCP, 0BP uses a simple tiansmission mouel with a minimum
28
of piotocol mechanism. 0BP is suitable foi puiposes wheie eiioi checking anu
coiiection is eithei not necessaiy of peifoimeu in the application, thus avoiuing the
oveiheau of such piocessing at the netwoik inteiface level. Time-sensitive
applications often use 0BP, wheie uiopping packets is piefeiable to waiting foi
uelayeu packets. |See also RFC 768j

\F [#(601+% 9#+%$*D6%#$5 >+7 21B*1E1$5
- Fieu Bakei, Cisco
- Alissa Coopei, Centei foi Bemociacy anu Technology
- Chuck Bvoiak, AT&T
- Nichael Faigano, CentuiyLink
- Baviu Fullagai, Netflix
- }effiey uoou, Bisney
- Amei Bassan, Niciosoft
- Bale Batfielu
- Tiace Bollifielu, Biight Bouse Netwoiks
- Scott }oiuan, 0niveisity of Califoinia, Iivine
- Kevin Kahn, Intel
- }ason Livingoou, Comcast
- Bonalu Smith, CentuiyLink
- }eff Swinton, veiizon
- Tony Watson, uoogle
- }ason Weil, Time Wainei Cable