M$SQL cleanup incentives
jlewis at lewis.org
jlewis at lewis.org
Sat Feb 22 21:26:34 UTC 2003
On Sat, 22 Feb 2003, Doug Clements wrote:
> The issue I had with your argument is "forever". You should realize as well
> as anyone that the course of software development and implementation will
> mitigate the threats of the slammer worm until it's nothing more than a bad
> memory.
Unlikely in this case. A reasonably fast system infected with slammer is
capable of generating enough traffic to make the Cisco 2900XL switch its
plugged into incapable of passing normal traffic. All it takes is one
infected customer's system to really foul up the network it's attached to.
The only plus side is, this is perfect justification to management for
replacing any switches customers connect to with newer ones that (at least
claim to) do per-port rate limiting. If your network is able to contain
slammer infected boxes without melting down, who cares if you have a few
infected customers? You don't need to filter, and they'll all be
encouraged to fix their systems sooner.
I setup inbound 1434/udp filters the 3rd time we had a customer (different
ones each time) get (re-?)infected weeks after the initial outbreak.
Sure, some DNS replies and assorted other packets will get dropped, but
AFAIK, nobody has complained or even noticed...and we've had no more
re-infections since the filters were put in place.
I don't believe we'll have to filter 1434/udp forever, but I plan to leave
the filters in place until we no longer need them or until they hurt more
than they help.
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
System Administrator | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list