You can't get there from here - port blocking by residential ISPs

Recently I was working with one of my customers to setup the Azure Files service - a cloud based file sharing solution from Microsoft that allows you to "mount Azure Files shares from anywhere—from on premises to the cloud—giving you a truly hybrid experience".  It's a great service offering that has a lot of interesting use cases in our modern "work from anywhere" world and it works great - unless your end users are on Rogers.  Rogers, for some reason, has decided to unilaterally block port 445, the SMB port, on all residential internet connections.  I discovered this after one of the users beta testing the solution reported it wasn't working when they were at home.  Doing a quick search, I found this Microsoft TechNet post  where Eric McStravick says "I can confirm that on my router, port 445,80,443 (and all other ports for testing purposes) are open for this one server.  My ISP (Rogers Cable in Canada) has confirmed they do block 445 (as well as netbios ports, 1080 and 1433/1434 SQL access/management ports) on ALL Home and SMB services".

There are good technical reasons why an ISP would seek to block port 445 - realtime tracking shows that SMB based attacks are one of the primary vectors of malware and ransomware attacks.  The "WannaCry" ransomeware attack of 2017 used an exploit in the SMB protocol to infect over 300,000 computers. A 2004 report from SANS entitled "Internet Service Providers:The Little Mans Firewall" found that allowing the common Windows ports, like SMB across the public internet "offers little to customers, while needlessly exposing them to infection and making it more likely that ISPs will be overwhelmed by future virus outbreaks".  

That SANS report was written in 2004, in a time before the "cloud", when organizations were still utilizing on-prem file servers and access to company resources was always through a VPN connection. As we move towards zero-trust and "beyond vpn" models of remote connectivity the idea that someone would need to tunnel traffic to access a something like a file share is starting to become a thing of the past. Azure Files is a perfect example of this modern type of connectivity - a service specifically designed to work over both public and private connections seamlessly without the need for a VPN tunnel.  

Putting aside the issue of whether or not an ISP should even be able to filter ports, there is the basic fact that consumers need to be able to make informed choices.  What if your job required the use of Azure Files in order for you to work?  A customer looking for an ISP would have no idea that Rogers wouldn't be a viable choice for them.  

The Broadband Internet Technical Advisory Group (BITAG) has a great list of recommendations when it comes to ISPs and port blocking, namely:

  • ISPs should avoid port blocking unless they have no reasonable alternatives available for preventing unwanted traffic and protecting users.
  • ISPs that can reasonably provide to their users opt-out provisions or exceptions to their port blocking policies should do so.
  • ISPs should publicly disclose their port blocking policies
  • ISPs should make communications channels available for feedback about port blocking policies.
  • ISPs should make communications channels available for feedback about port blocking policies.
  • Port blocking (or firewall) rules of consumers’ devices should be user- configurable.

In the 2009 CRTC Policy on Internet Traffic Management they stated that "Where any ITMPs are employed, ISPs must be transparent about their use. Consumers need this information to make informed decisions about the Internet services they purchase and use." yet when you review the official Rogers ITMP Policy does not list any of these blocked ports or make any mention that they do any port blocking of any kind.  Back in 2012, the CRTC found that Rogers throttling of P2P ports violated the CRTC Internet Traffic Management Policies (ITMP) - does blocking a port outright count as well?  I would argue that it does, and that Rogers is in clear violation of the CRTC policies on internet traffic management even if it is in the name of "protecting consumers" from internet threats.  

What we as consumers need first and foremost is transparency - as highlighted by the BITAG report, Rogers, and other ISPs should clearly disclose their port blocking policies as part of their ITMP framework - this is something the CRTC has already mandated, yet clearly Rogers and others are not following the rules.  

Secondly, consumers need some way to opt-out of any filtering policies that are being applied.  Its understandable from a security perspective to "default deny" traffic, but when there is a legitimate use case, such as Azure Files for traffic to traverse a blocked port, consumers need some way to work with their ISP to accept the known risk and unblock the traffic.  

As the Canadian ISP market continues to consolidate, consumers will have less choice when it comes to providers so it is becoming essential that we provide consumers with transparency and an opt-out mechanism - without this they may find themselves unable to find an ISP that is compatible with their work environment, leaving them unable to participate in a modern cloud-first world.