Home page logo

nanog logo nanog mailing list archives

Re: M$SQL cleanup incentives
From: jlewis () lewis org
Date: Sat, 22 Feb 2003 16:26:34 -0500 (EST)

On Sat, 22 Feb 2003, Doug Clements wrote:

The issue I had with your argument is "forever". You should realize as well
as anyone that the course of software development and implementation will
mitigate the threats of the slammer worm until it's nothing more than a bad

Unlikely in this case.  A reasonably fast system infected with slammer is 
capable of generating enough traffic to make the Cisco 2900XL switch its 
plugged into incapable of passing normal traffic.  All it takes is one 
infected customer's system to really foul up the network it's attached to.  
The only plus side is, this is perfect justification to management for 
replacing any switches customers connect to with newer ones that (at least 
claim to) do per-port rate limiting.  If your network is able to contain 
slammer infected boxes without melting down, who cares if you have a few 
infected customers?  You don't need to filter, and they'll all be 
encouraged to fix their systems sooner.

I setup inbound 1434/udp filters the 3rd time we had a customer (different
ones each time) get (re-?)infected weeks after the initial outbreak.  
Sure, some DNS replies and assorted other packets will get dropped, but
AFAIK, nobody has complained or even noticed...and we've had no more
re-infections since the filters were put in place.

I don't believe we'll have to filter 1434/udp forever, but I plan to leave 
the filters in place until we no longer need them or until they hurt more 
than they help.

 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]