M$SQL cleanup incentives

• Previous message (by thread): M$SQL cleanup incentives
• Next message (by thread): M$SQL cleanup incentives
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 21 Feb 2003, William Allen Simpson wrote:

> I've been pretty disappointed with some of the responses on this issue.

:-)

> I'm of the technical opinion that everyone will need to filter outgoing
> 1434 udp forever.

Forget it. That's a port used for legitimate traffic. Besides, filtering
on port numbers is a flawed proposition to begin with. The fact that it
more or less works is just luck. Too bad we can't filter on competence.

> Now, some folks have expressed the opinion we should just all drop
> filters and let the infected machines DoS our networks, hoping against
> experience that the miscreant customers will notice their bad machines
> and fix them promptly.

> That's technically incompetent!

Thank you. I agree that at this time it is often not feasible to simply
not filter. But that's certainly the place I want to be in the future.
If a customer wants to spew out 50 Mbps worth of UDP I don't want that
to influence my network. So either I forward the traffic and the
customer pays for the bandwidth or I rate limit it and they live with
the packet loss.

> For one thing, experience shows that the miscreant won't notice they're
> infected for DAYS!  Why do you think there are 20K+ still infected?

Most of those are dial-up so their traffic isn't all that much and
they're hard to track down. Depending on how the OS works, such a host
may not even experience a very significant slowdown.

> For another thing, I'm happy for all those of you that have such huge
> resources to overspecify your networks and equipment.  The rest of us
> were swamped.  We don't have any (that's right: zero zip nil) M$
> machines in the operational network (only Linux, *BSD, Macs), and we
> still lost all accounting, network management, and basic services,
> until the border filters were in place.

Strange.

By the way: I manage ~ 4 networks. One just upgraded to "huge resources"
and they didn't feel the extra 100 Mbps traffic from two infected
customer boxes (I filtered it anyway, good netizen as I am). Another has
more or less adequate resources; one router also had 2 infected boxes on
the local network but this one could handle it. The next router (behind
a 1:3 funnel) had a meltdown even though the hardware is identical.
Always use CEF, kids. Two other networks are more or less underpowered,
but no real trouble (one also with two infected boxes).

• Previous message (by thread): M$SQL cleanup incentives
• Next message (by thread): M$SQL cleanup incentives
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]