North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: M$SQL cleanup incentives
- From: Iljitsch van Beijnum
- Date: Fri Feb 21 20:27:17 2003
On Fri, 21 Feb 2003, William Allen Simpson wrote:
> I've been pretty disappointed with some of the responses on this issue.
> I'm of the technical opinion that everyone will need to filter outgoing
> 1434 udp forever.
Forget it. That's a port used for legitimate traffic. Besides, filtering
on port numbers is a flawed proposition to begin with. The fact that it
more or less works is just luck. Too bad we can't filter on competence.
> Now, some folks have expressed the opinion we should just all drop
> filters and let the infected machines DoS our networks, hoping against
> experience that the miscreant customers will notice their bad machines
> and fix them promptly.
> That's technically incompetent!
Thank you. I agree that at this time it is often not feasible to simply
not filter. But that's certainly the place I want to be in the future.
If a customer wants to spew out 50 Mbps worth of UDP I don't want that
to influence my network. So either I forward the traffic and the
customer pays for the bandwidth or I rate limit it and they live with
the packet loss.
> For one thing, experience shows that the miscreant won't notice they're
> infected for DAYS! Why do you think there are 20K+ still infected?
Most of those are dial-up so their traffic isn't all that much and
they're hard to track down. Depending on how the OS works, such a host
may not even experience a very significant slowdown.
> For another thing, I'm happy for all those of you that have such huge
> resources to overspecify your networks and equipment. The rest of us
> were swamped. We don't have any (that's right: zero zip nil) M$
> machines in the operational network (only Linux, *BSD, Macs), and we
> still lost all accounting, network management, and basic services,
> until the border filters were in place.
By the way: I manage ~ 4 networks. One just upgraded to "huge resources"
and they didn't feel the extra 100 Mbps traffic from two infected
customer boxes (I filtered it anyway, good netizen as I am). Another has
more or less adequate resources; one router also had 2 infected boxes on
the local network but this one could handle it. The next router (behind
a 1:3 funnel) had a meltdown even though the hardware is identical.
Always use CEF, kids. Two other networks are more or less underpowered,
but no real trouble (one also with two infected boxes).