North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Where are static bogon filters appropriate? was: Bogons

  • From: Sean Donelan
  • Date: Fri Mar 09 14:01:34 2007

On Tue, 6 Mar 2007, Mikael Abrahamsson wrote:
Customer gets hacked, one of their boxen starts spewing traffic with spoofed addresses. The way I understand your solution is to automatically shut their port and disrupt all their traffic, and have them call customer support to get any further.

Do you really think this is a good solution?

I don't see any customer with a choice continuing having a relationship with me if I treat them like that. It will cost me and them too much.

So instead I just drop their spoofed traffic and if they call and say that their line is slow, I'll just say it's full and they can themselves track down the offending machine and shut it off to solve the problem.

Compromised systems rarely have one thing wrong with them, and delaying the pain just makes things worse.

Drop spoofed traffic, and they send non-spoofed packets.
Block port 25, and they send slammer on port 1434
Block messenger port 1025, and they send DNS DOS on port 53
Block irc bots port 6667, and they send VOIP spam port 5060
and so on and so on.

   The fast-spreading virus infected as many as 200 county computers
   Wednesday, and technicians shut down the entire network for Anne
   Arundel offices for more than 24 hours.
   One day last year, things started going haywire at Northwest Hospital
   and Medical Center. Key cards would no longer open the operating-room
   doors; computers in the intensive-care unit shut down; doctors' pagers
   wouldn't work.

   It turns out the Seattle hospital's computers . along with up to 50,000
   others across the country . had been turned into an army of robots
   controlled by 20-year-old

Caused by "known" vulnerabilities with patches available, but the customers decided it wasn't "important" enough to take action before
they lost everything.

Is it really customer service to avoid the issue?