Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: M$SQL cleanup incentives

  • From: William Allen Simpson
  • Date: Sat Feb 22 17:28:56 2003

Doug Clements wrote:
> I see. So you're still filtering port 25 from the Morris sendmail worm.
> 
Funny thing, I was a researcher visiting at Cornell, and had just left 
in the car for the 9.5 hour drive home when it struck.  I've often
wished I'd stuck around for a few more hours for the excitement.

Anyway, we didn't need to put in a long term block, as everyone took 
down their systems and cleaned them.  I didn't even find out about the 
problem until over a day later, by which time it was long gone.  

Ah, the days when we all cooperated....

Well, of course, there were fewer systems involved. ;-)  Then again, 
there were fewer people to fix them, too.


> The issue I had with your argument is "forever". You should realize as well
> as anyone that the course of software development and implementation will
> mitigate the threats of the slammer worm until it's nothing more than a bad
> memory.
> 
Sure.  I'll be happy to modify that *forever* to "when all M$ systems 
have been cleaned and updated."  Let us all know when that happens, 
will you?


> The first step in eradication is detection. I presume that since you're
> taking this stance, you're checking your filter logs and attempting to
> notify the appropriate partys for each hit.
> 
For some silly reason, not all operators are notifying their own 
customers, even when reported.   

Anyway, we passed the detection phase long ago, and the second step in 
eradication is quarantine.  That's what I'm talking about!


> If you're not, then our buddy trying to infect all the machines on his
> network every so often is being more effective in wiping out the worm.
> 
Fascinating.  I'm sure his legal department will have an opinion on that. 

However, we could help protect him from legal issues by adopting 
self-help as a "Best Current Practice."  Are you ready and willing to 
write up the internet-draft?


> If you "didn't" filter or "don't" filter? We definately filtered when the
> worm first came out. We don't block port 1433 anymore (nor does any of our
> upstreams), but we still report suspicious traffic. Regardless of what
> everyone else is doing, the worm is not causing a meltdown anymore. 

The reason is that many of us are _still_ filtering.  Some who removed 
filters put them back.


> correct course of action is to remove filters as resources allow, and
> investigate infected machines as they are noticed.
> 
Unfortunately, I haven't seen a lot of investigation.  Perhaps you 
can explain why the infection rate is still the same after 3 weeks?

Anyway, I'll chalk you in the column for removing all filters, and 
hoping for the best.

-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.