Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: M$SQL cleanup incentives

  • From: Iljitsch van Beijnum
  • Date: Fri Feb 21 20:27:17 2003

On Fri, 21 Feb 2003, William Allen Simpson wrote:

> I've been pretty disappointed with some of the responses on this issue.


> I'm of the technical opinion that everyone will need to filter outgoing
> 1434 udp forever.

Forget it. That's a port used for legitimate traffic. Besides, filtering
on port numbers is a flawed proposition to begin with. The fact that it
more or less works is just luck. Too bad we can't filter on competence.

> Now, some folks have expressed the opinion we should just all drop
> filters and let the infected machines DoS our networks, hoping against
> experience that the miscreant customers will notice their bad machines
> and fix them promptly.

> That's technically incompetent!

Thank you. I agree that at this time it is often not feasible to simply
not filter. But that's certainly the place I want to be in the future.
If a customer wants to spew out 50 Mbps worth of UDP I don't want that
to influence my network. So either I forward the traffic and the
customer pays for the bandwidth or I rate limit it and they live with
the packet loss.

> For one thing, experience shows that the miscreant won't notice they're
> infected for DAYS!  Why do you think there are 20K+ still infected?

Most of those are dial-up so their traffic isn't all that much and
they're hard to track down. Depending on how the OS works, such a host
may not even experience a very significant slowdown.

> For another thing, I'm happy for all those of you that have such huge
> resources to overspecify your networks and equipment.  The rest of us
> were swamped.  We don't have any (that's right: zero zip nil) M$
> machines in the operational network (only Linux, *BSD, Macs), and we
> still lost all accounting, network management, and basic services,
> until the border filters were in place.


By the way: I manage ~ 4 networks. One just upgraded to "huge resources"
and they didn't feel the extra 100 Mbps traffic from two infected
customer boxes (I filtered it anyway, good netizen as I am). Another has
more or less adequate resources; one router also had 2 infected boxes on
the local network but this one could handle it. The next router (behind
a 1:3 funnel) had a meltdown even though the hardware is identical.
Always use CEF, kids. Two other networks are more or less underpowered,
but no real trouble (one also with two infected boxes).

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.