AT&T DOES block ports and protocols to it’s customers (“Port barricading”)
This discovery has cost me money because it takes about an hour of debuging just to figure out that a port is being barricaded. What do I mean by barricading?
- You open the port on your firewall (ie, your modem/router)
- It remains impossible for outside connections to establish on that port, even in DMZ mode
Port barricading is the responsibility of your Internet Service Provider
What do ISPs gain from barricading?
As we see cable company grow increasingly greedy against the modern laws and regulations, we see they’re finding ways to drain every penny from all their customers. This is their newest assault.
AT&T knows they can get away with charging more (double or triple the amount) for the ‘business package’, so it’s in their best interest to force as many people as possible to buy it. But AT&T knows their on thin ice with generally angry public ready to switch ISPs on the drop of a hat. So their plan is to target a minority of people trying to either express themselves or start a business. What they’ve done is barricaded certain ports and protocols on their ‘residential package’ that are critically needed to do these things. I checked, and this is not in the contract that you sign, or the terms of service you agree to, but rather it’s a hidden limitation that is only uncovered after you sign the 1-year agreement.
“PCI Compliance” is a certification you must receive if you deal with credit card information or otherwise highly sensitive information. PCI checks your network to make sure you’ve got no holes in your security. This is all fine and good practice.
However, AT&T has a ‘reverse barricade’ on ports 61001 and 7547 (see below). This means they’re always open, regardless of your consent. “”“”“coincidentally”“”“” these are the same ports that fail PCI complacency. This means that if you want to run any sort of profitable (and secure) operation, you’re forced to upgrade to the ‘business package’ simply because your ISP deliberately limiting the security of your network.
See this discussion about it: https://community.spiceworks.com/topic/663206-open-port-on-uverse-modem-keeps-causing-pci-compliance-to-fail-at-t-no-help
How did AT&T respond?
I sent several inquiries but none of the got a response. However, the only response I got was when I pretend to be a black woman complaining that I couldn’t access my email. I’m not even kidding. This is what they said:
The reason why AT&T chooses to block port 25 is to because it is common for viruses to install “zombie processes” which then use this port to send out Spam on infected machines. This is also why most mail servers are moving away from using this port.
Here is a document which shows you the ports AT&T blocks with descriptions of the reasons why. This was put in place to not only protect you the consumer, but also AT&T’s network integrity.
They’re essentially saying port 25 is used to propagate “botnet viruses” and/or spam. However,
- It’s impossible to propagate viruses via 25 (it may have been 2 decades ago)
- They claim spam is sent via 25. Keyword sent, any port can be used to send. You can send spam on port 420 if you wanted to. This is a fake argument.
Thus sense they have NO reason to barricade 25, I looked into what else they’re blocking to “protect the consumer”
Below is the full table of what’s barricaded, the last column – “actual reason” – is of my authorship.
|0||TCP||Reserved||Both||Reserved Port||Honestly, no one should be using this. But why should the ISP be blocking it?|
|19||UDP||Chargen||Both||Reflective DDOS||Rarely used, if only by printers… why block?|
|25||UDP||SMTP||Outbound||SPAM, Malware||Force you to buy the ‘business package’ if you want the luxury of using email|
|68||UDP||BOOTP||Outbound||DHCP server Spoofing||“Better get that ‘business package’, otherwise, you’ll have to do without a domain name. I mean no one uses those, right?”|
|123||UDP||NTP||Both||Reflective DDOS||Want to host a time server? You know, a fun hobby to get into networking? Too bad requesting the time of day is now known as a ‘ddos’|
|135/139||UDP||NetBios||Both||Worms, Malware||There is no reason to have these ports open. Anyone who is smart enough to deal with these ports knows that.|
|445||TCP||MS-DS SMB||Both||Worms, Malware||“Ayy buddy we see you still havent got that business package, that’s fine, just don’t try to work with more than one Windows Computer”|
|520||UDP||RIPv1||Both||Reflective DDOS||Again, no one has any reason to have this port open for this particular protocol.|
|1900||UDP||SSDP||Both||Reflective DDOS||Prevents users from setting up high-anonymity VPNs.|
|3479||TCP||Twrpc||Both||“End user device instability”||…The PlayStation Network port. Prevents players from hosting custom servers. What the hell does “End user device instability” mean? You’re about to see why they don’t give you an actual reason…|
|7547||TCP||CWMP||Inbound||“End user device instability”||This one’s special. CWMP is a protocol used to control modems and routers. Notice how “Outbound” is allowed, this means the router is talking to AT&T. And at anytime they may access your router, network, and computer files. Hows that for “protecting our customer”?|
|61001||TCP||IPDR||Inbound||“End user device instability”||Same as CWMP, a port that causes your router to obey the ISP’s demands instead of the customers. See “PCI Compliance”.|
Quick comment about ‘Threats’
As you can see, they simply put scary buzzwords such as DDOS, Worms, and Malware on nearly all of these barricades as an attempt to justify limiting your freedom.
This reminds me of the phrase “for your safety”. A phrase all should fear. What AT&T is doing is playing big brother “protecting you from you”, when in reality they want to control businesses and squeeze every penny out of startups.
Big cable is once again destroying, in more violent terms, castrating innovation for the sake of money. Even worse is they’re using the worse excuse of “safety and protection” to deceptively justify it. Once people start to complain about this, they’ll start trying to prove these measures are to increase internet speeds for the customer – again admitting the complete opposite of their intentions.
If they really want to protect their network. They should remove all the network barricades, then, if they see a residential customer sending thousands of emails a second, simply send them a warning. This will allow the customer to stop what they’re doing or face contract termination. That way, the first amendment is still intact and AT&T can have control over their network.
Others argue that these barricades are well in-place as far as preventing spam, and customers can remove the barricades simply by contacting their ISPs. To that I say, “have you every tried to contact an ISP..?”