North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: M$SQL cleanup incentives

  • From: jlewis
  • Date: Sat Feb 22 16:29:01 2003

On Sat, 22 Feb 2003, Doug Clements wrote:

> The issue I had with your argument is "forever". You should realize as well
> as anyone that the course of software development and implementation will
> mitigate the threats of the slammer worm until it's nothing more than a bad
> memory.

Unlikely in this case.  A reasonably fast system infected with slammer is 
capable of generating enough traffic to make the Cisco 2900XL switch its 
plugged into incapable of passing normal traffic.  All it takes is one 
infected customer's system to really foul up the network it's attached to.  
The only plus side is, this is perfect justification to management for 
replacing any switches customers connect to with newer ones that (at least 
claim to) do per-port rate limiting.  If your network is able to contain 
slammer infected boxes without melting down, who cares if you have a few 
infected customers?  You don't need to filter, and they'll all be 
encouraged to fix their systems sooner.

I setup inbound 1434/udp filters the 3rd time we had a customer (different
ones each time) get (re-?)infected weeks after the initial outbreak.  
Sure, some DNS replies and assorted other packets will get dropped, but
AFAIK, nobody has complained or even noticed...and we've had no more
re-infections since the filters were put in place.

I don't believe we'll have to filter 1434/udp forever, but I plan to leave 
the filters in place until we no longer need them or until they hurt more 
than they help.

----------------------------------------------------------------------
 Jon Lewis *[email protected]*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________