""Ken Diliberto"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > While trying to modify the ACL's, I had to disable two trunks into that > switch. I could telnet into the supervisor no problem. When I tried > "sess 4" or "sess 7" I would get a timeout. > > I read reports of routers hanging under the load. This what I think > happened to BofA. The routers probably couldn't handle the load of all > that traffic. Maybe some hung and required manual intervention. IMHO, > SQL wasn't their problem. High traffic levels was. I know I couldn't > connect to my VPN and it took several tries with SSH to get into one of > my Unix machines. > > How would I handle this type of problem in the future? Good question > to which I'm not sure I have a good answer. We are replacing our core > 5500's with 6500's. Our backbones from 100FX to GigE. Our Internet > connection from OC-3 to GigE. Maybe the additional horsepower will > help. Maybe it will hammer the servers so hard they crash and I can't > do anything. In a way, I was taking a small risk with putting in > firewall rules and ACLs to block this traffic. I'm working with people > on campus to add firewall rules, but I may not do it without their > permission. That and people are free to put anything they want on the > network. > > If this were a corporate network and not an education network, I would > convince the CIO/CTO/CEO that we need to tighten security. Here, I have > to convince the technicians in each college and division that security > is good.
good points all. how quickly we forget - a year or so ago, it was code red / nimda, and the response of a lot of places was to just start shutting down servers and routers until they could get a handle on things. BOA might even have been one of those organizations that did so, but that could be my prejudice speaking. > > What would happen if this worm was a TCP port 80, TCP port 53 or UDP > port 53 worm? no problem. just close those ports on your firewalls ;-> > > Ken > > >>> "Amazing" 01/26/03 06:15PM >>> > what's amazing are the assumptions that people are making--who says tht > BoA > servers or any BoA database were comprimised? who says they are even > running MS-SQL? Read how the worm is spreading and you will > understand > that you dont have to be running anything that can be affected by the > worm. > my guess is that a company with LARGE blocks of routable addresses and > probably very high speed connections to the Internet might have bigger > problems with this worm which in effect becomes a denial of service > attack > on their edge devices even if they are filtering out udp 1494 at the > edge. > > take a look at the post by Ken and observe what is happening to the CPU > of > one of his router blades..... > > i definitely agree with your comment about the security con artist > comparison the y2k consultants > > [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61940&t=61891 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
