Home page logo

nanog logo nanog mailing list archives

Re: M$SQL cleanup incentives
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Sat, 22 Feb 2003 02:25:39 +0100 (CET)

On Fri, 21 Feb 2003, William Allen Simpson wrote:

I've been pretty disappointed with some of the responses on this issue.


I'm of the technical opinion that everyone will need to filter outgoing
1434 udp forever.

Forget it. That's a port used for legitimate traffic. Besides, filtering
on port numbers is a flawed proposition to begin with. The fact that it
more or less works is just luck. Too bad we can't filter on competence.

Now, some folks have expressed the opinion we should just all drop
filters and let the infected machines DoS our networks, hoping against
experience that the miscreant customers will notice their bad machines
and fix them promptly.

That's technically incompetent!

Thank you. I agree that at this time it is often not feasible to simply
not filter. But that's certainly the place I want to be in the future.
If a customer wants to spew out 50 Mbps worth of UDP I don't want that
to influence my network. So either I forward the traffic and the
customer pays for the bandwidth or I rate limit it and they live with
the packet loss.

For one thing, experience shows that the miscreant won't notice they're
infected for DAYS!  Why do you think there are 20K+ still infected?

Most of those are dial-up so their traffic isn't all that much and
they're hard to track down. Depending on how the OS works, such a host
may not even experience a very significant slowdown.

For another thing, I'm happy for all those of you that have such huge
resources to overspecify your networks and equipment.  The rest of us
were swamped.  We don't have any (that's right: zero zip nil) M$
machines in the operational network (only Linux, *BSD, Macs), and we
still lost all accounting, network management, and basic services,
until the border filters were in place.


By the way: I manage ~ 4 networks. One just upgraded to "huge resources"
and they didn't feel the extra 100 Mbps traffic from two infected
customer boxes (I filtered it anyway, good netizen as I am). Another has
more or less adequate resources; one router also had 2 infected boxes on
the local network but this one could handle it. The next router (behind
a 1:3 funnel) had a meltdown even though the hardware is identical.
Always use CEF, kids. Two other networks are more or less underpowered,
but no real trouble (one also with two infected boxes).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]