North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: M$SQL cleanup incentives
On Fri, 21 Feb 2003, William Allen Simpson wrote: > I've been pretty disappointed with some of the responses on this issue. :-) > I'm of the technical opinion that everyone will need to filter outgoing > 1434 udp forever. Forget it. That's a port used for legitimate traffic. Besides, filtering on port numbers is a flawed proposition to begin with. The fact that it more or less works is just luck. Too bad we can't filter on competence. > Now, some folks have expressed the opinion we should just all drop > filters and let the infected machines DoS our networks, hoping against > experience that the miscreant customers will notice their bad machines > and fix them promptly. > That's technically incompetent! Thank you. I agree that at this time it is often not feasible to simply not filter. But that's certainly the place I want to be in the future. If a customer wants to spew out 50 Mbps worth of UDP I don't want that to influence my network. So either I forward the traffic and the customer pays for the bandwidth or I rate limit it and they live with the packet loss. > For one thing, experience shows that the miscreant won't notice they're > infected for DAYS! Why do you think there are 20K+ still infected? Most of those are dial-up so their traffic isn't all that much and they're hard to track down. Depending on how the OS works, such a host may not even experience a very significant slowdown. > For another thing, I'm happy for all those of you that have such huge > resources to overspecify your networks and equipment. The rest of us > were swamped. We don't have any (that's right: zero zip nil) M$ > machines in the operational network (only Linux, *BSD, Macs), and we > still lost all accounting, network management, and basic services, > until the border filters were in place. Strange. By the way: I manage ~ 4 networks. One just upgraded to "huge resources" and they didn't feel the extra 100 Mbps traffic from two infected customer boxes (I filtered it anyway, good netizen as I am). Another has more or less adequate resources; one router also had 2 infected boxes on the local network but this one could handle it. The next router (behind a 1:3 funnel) had a meltdown even though the hardware is identical. Always use CEF, kids. Two other networks are more or less underpowered, but no real trouble (one also with two infected boxes).
|