Comment by virgulino
10 days ago
Never mind telnetd. Tier 1 transit providers doing port filtering is EXTREMELY alarming. They have partitioned the Internet, and in a way that automatic routing (BGP) can't get around.
10 days ago
Never mind telnetd. Tier 1 transit providers doing port filtering is EXTREMELY alarming. They have partitioned the Internet, and in a way that automatic routing (BGP) can't get around.
> Tier 1 transit providers doing port filtering is EXTREMELY alarming.
I was admining a small ISP when blaster and its variants hit. Port filtering 139 and the rest was the easiest way to deal with it, and almost over night most of the ISPs blocked it, and we were better for it. There was a time when if you'd put a fresh XP install on the Internet you'd get 5-10 minutes until it would get restarted.
I guess if you're really an admin that needs telnet, you can move it to another port and go around it? Surely you'd tunnel that "old box that needs to stay alive" if that's the usecase? Is there anyone seriously running default telnet on 23 and is really affected by this filtering?
Lots of text games - MUDs - still play over telnet using dedicated MUD clients that implement their own telnet stack. Outright blocking the port has an outsized side efffe on them, this is simply not right.
Hosted roguelikes have been using ssh for at least 15 years. It's probably time for MUD folks to consider this.
1 reply →
If MUDs and other games were indeed using port 23/tcp for player access, they were not only incorrect but rather dangerous.
Since 23/tcp is a well-known IANA-registered port for the Telnet service, it is an RFC violation to use it for a service that is not telnetd/remote logins via TELNET protocol.
Any port below 1024 signifies that it is a "privileged port". This is an archaic distinction that developed in high-trust R&E networks, but it did signify that the listener on the port had administrative/root access to spawn a service there, so it was kind of a signal that you could "trust" the remote server with your login credentials.
The privileged ports were also priority, because if the unprivileged ones were "first come, first served" for unprivileged users, the administrator would have the ability to enforce the uniqueness of "privileged ports", and disable or kill any process that shouldn't be using one. A MUD Wizard who finds their port in-use (bound) on start is on their own.
Typically there were no MUDs running with, or needing, root privileges. They were run under user accounts, or specific unprivileged role accounts. They had no need of a privileged port, and many were clandestine or unauthorized, and forced to use a higher port number. That's why the 4-digit ports became so popular.
Anyway, the custom has already developed of blocking port 23 to protect users from unwittingly opening a management or login interface. Most shrewd admins would choose a port that isn't routinely blocked and filtered... and port-scanned.
If your favorite MUD runs on port 23 today, such as nethack or something, then I am glad for this change, which will force the administrator to select a unique port that does not imply privilege, TELNET protocol, or shell login credentials. It is totally RFC-compliant to select an unassigned port above 1023, and MUD conventions have popularized several numbers that are still recognizable to players today.
25 replies →
The GP's concern isn't a practical one, it's ultimately about net neutrality. It's not the ISP's job to discriminate against traffic—it's their job to deliver it.
This may seem like a good idea, and frankly is likely a net-positive thing, but it is literally the definition of "ISP decides what apps its customers can and cannot use."
I share the concern and don't really like it either.
It's not a net-neutrality issue because they're not banking on any alternative.
Net-neutrality law doesn't work like that. Service providers still get to filter stuff.
What's illegal for an ISP is e.g. to give VoIP services other than their own a lower priority. That would tie in customers to use their own service and they could even charge more for it. Net neutrality means a level playing field for services on the Internet.
If you ask your ISP to do filtering, that's perfectly legal. If they filter specific traffic for the purpose of maintaining service, that's okay too.
Now if there was no alternative and they'd try to sell their product by blocking telnet, they could be sued.
3 replies →
There is some merit to the end user ISPs doing that - for example one I used before filtered SMTP traffic (and iirc some other) to the client unless you opted out from it.
Which was mildly annoying workaround for the power users (disabling it was just changing the ppp login), but stopped a lot of accidentally open open relays and a lot of other cruft
I run a PDP-10 during the colder parts of the year. It's for historical preservation reasons. There are others doing the same thing. We still offer telnet access because that's how it worked back then. I guess we aren't going to be doing that anymore.
If you can get it on IPv6, maybe via a gateway, port 23 filtering doesn't seem to be applied to IPv6 yet! (I assume because the v6 address space is too large to mass scan?)
3 replies →
Changes like these lend even more credibility to the approach of putting everything on port 443 over TLS, and distinguishing protocols based on hostname / HTTP path.
Wireguard over 443/udp is also a neat trick. No need to make it look like quic although I wouldn't be surprised if someone takes the effort to make it that stealthy.
If everything was on port 443 why would we even need ports.
The ports are there for a reason, it is idiotic to serve everything over http as you would need a mechanism to distinguish the different flows of traffic anyhow.
8 replies →
> There was a time when if you'd put a fresh XP install on the Internet you'd get 5-10 minutes until it would get restarted.
This is still true, though 5-10 minutes is slightly pessimistic. Source: https://youtu.be/6uSVVCmOH5w
TL;DW - Guy installs XP and makes it internet accessible, only takes 15 minutes before the first malware appears on it.
I do not know what is more critical: the risk of censorship or stand by while hospitals, banking, nuclear power plants and other systems become compromised and go down with people dying because of it. These decision makers not only have powers but also have a responsibility
Have you ever seen a hospital, a bank, a power plan to expose telnetd to the public internet in the last 20 years? It should be extremely rare and should be addressed by company’s IT not by ISPs.
These are the institutions I would most expect to do that.
Well, maybe not a bank.
Probably Tier 1 providers have some insight on this.
This feels more akin to discovering an alarming weakness in the concrete used to build those hospitals, banks and nuclear power plants – and society responding by grounding all flights to make sure people can't get to, and thus overstress, the floors of those hospitals, banks and nuclear power plants.
In the UK we have in fact discovered an alarming weakness in the concrete used to build schools, hospitals and other public building (in one case, the roof of a primary school collapsed without warning). The response was basically "Everybody out now".
https://en.wikipedia.org/wiki/2023_United_Kingdom_reinforced...
https://www.theconstructionindex.co.uk/news/view/raac-crisis...
https://www.theguardian.com/education/2023/aug/31/what-is-ra...
You feel it's similar because having access to port 23 is similarly life critical as having access to an hospital? Or is it because like with ports, when people can't flight to an hospital, they have 65000 other alternative options?
5 replies →
nah, that's like seeing an open gate to nuclear tank - a thing easily fixed within few minutes - and responding to it by removing every road in existence that can bear cars
Censorship is one of these words that get slapped on anything.
Filtering one port is not censorship. Not even close.
> censorship, the suppression or removal of writing, artistic work, etc. that are considered obscene, politically unacceptable, or a threat to security
It is not the responsibility of the Tier 1 or the ISP to configure your server securely, it is their responsibility to deliver the message. Therefore it is an overreach to block it because you might be insecure. What is next. They block the traffic to your website because you run PHP?
Similar to how the mailman is obligated to deliver your letter at address 13 even though he personally might be very superstitious and believe by delivering the mail to that address bad things will happen.
1 reply →
If that really affects them it's better to take them offline.
This simply isn't happening, and we have the data to prove it: https://www.terracenetworks.com/blog/2026-02-11-telnet-routi...
> The sky is not falling.
Great analysis, thank you!
New thread: Reports of Telnet's Death Have Been Greatly Exaggerated https://news.ycombinator.com/item?id=46980355
Port 23 has been filtered by most providers for decades.
This is why everything converges on using TLS over 443 or a high port number. I don't see this as a huge deal, and especially not one deserving all caps rants about censorship. Save those for things like FOSTA/SESTA.
Not by tier 1 transit providers. You pay those to deliver your packets, no matter what.
So basically the same as censorship because that is the exact same thing blocking ports does.
not to mention, filtering on udp vs tcp, which makes using anything else impossible. Not that I have one, but it's just a bit in a field, why filter on it?
I can connect with the GNU telnet client via the Spectrum ISP to servers in both Seattle and the Netherlands.
It doesn’t matter what client you use.
Is it on port 23/tcp, and what are the ASNs?
The report specifically says that cloud networks like VPS, AWS seemed exempt.
Yes, port 23/tcp
From ASN AS11427 (Charter Communications Inc) to ASN AS12859 (BIT BV) and to ASN AS14361 (HopOne Internet Corporation)
(edit: formatting)