nanog mailing list archives
Re: M$SQL cleanup incentives
From: "Doug Clements" <dsclements () linkline com>
Date: Sat, 22 Feb 2003 12:40:39 -0800
On Sat, Feb 22, 2003 at 09:25:24AM -0500, William Allen Simpson wrote:
Doug Clements wrote:Which is it? Where do you draw the line between something that's big
enough
to block forever and something that's not worth tracking down?Where it causes a network meltdown. The objective reality is pretty clear to some (many? most?) of us.
I see. So you're still filtering port 25 from the Morris sendmail worm. The issue I had with your argument is "forever". You should realize as well as anyone that the course of software development and implementation will mitigate the threats of the slammer worm until it's nothing more than a bad memory.
Filtering is not fun. That's why I'm trying to get everyone to cooperate in eradication of this particular problem, so that we could drop filters. (Look at the subject line.)
The first step in eradication is detection. I presume that since you're taking this stance, you're checking your filter logs and attempting to notify the appropriate partys for each hit. If you're not, then our buddy trying to infect all the machines on his network every so often is being more effective in wiping out the worm.
Right now, whether you know it or not, filtering is all that's holding the Internet as a whole together.... If you didn't filter, you're actually depending on the good graces of the rest of us that did!
If you "didn't" filter or "don't" filter? We definately filtered when the worm first came out. We don't block port 1433 anymore (nor does any of our upstreams), but we still report suspicious traffic. Regardless of what everyone else is doing, the worm is not causing a meltdown anymore. The correct course of action is to remove filters as resources allow, and investigate infected machines as they are noticed. I'm sorry, but I'm not seeing your case for implementing permament filters for this or anything else. --Doug
Current thread:
- Re: scripts to map IP to AS?, (continued)
- Re: scripts to map IP to AS? Johannes Ullrich (Feb 20)
- M$SQL cleanup incentives William Allen Simpson (Feb 20)
- Re: M$SQL cleanup incentives Iljitsch van Beijnum (Feb 20)
- Re: M$SQL cleanup incentives Valdis . Kletnieks (Feb 20)
- Re: M$SQL cleanup incentives William Allen Simpson (Feb 21)
- Re: M$SQL cleanup incentives John Kristoff (Feb 21)
- Re: M$SQL cleanup incentives Randy Bush (Feb 21)
- Re: M$SQL cleanup incentives Iljitsch van Beijnum (Feb 21)
- Re: M$SQL cleanup incentives Doug Clements (Feb 22)
- Re: M$SQL cleanup incentives William Allen Simpson (Feb 22)
- Re: M$SQL cleanup incentives Doug Clements (Feb 22)
- Re: M$SQL cleanup incentives jlewis (Feb 22)
- Re: M$SQL cleanup incentives Stephen Sprunk (Feb 22)
- Re: M$SQL cleanup incentives jlewis (Feb 22)
- Re: M$SQL cleanup incentives William Allen Simpson (Feb 22)
- The good old days (was Re: M$SQL cleanup incentives) Sean Donelan (Feb 24)
- Re: The good old days (was Re: M$SQL cleanup incentives) Peter Salus (Feb 24)
- Re: scripts to map IP to AS? George Bakos (Feb 20)