M$SQL is different from other infections mentioned, as it hits the
entire net so quickly. The only thing keeping it in bay is widespread
backbone filtering, which isn't feasible in the long term.
Just like random source addresses, the only answer is edge filtering
(preventing the bad packets
On Thu, 20 Feb 2003, William Allen Simpson wrote:
> Worse, it only takes 1 infected host to re-infect the entire net in
> about 10 minutes. So, the entire 'net has to cooperate, or we'll see
> continual re-infection.
Only if people didn't fix their servers. And if they didn't, this
"reverse" de
On Thu, 20 Feb 2003 22:11:06 +0100, Iljitsch van Beijnum said:
> Seems to me that filtering is no longer necessary unless you have reason
> to believe your customers are going to install new vulnerable boxes or
> vulnerable software on existing boxes AND their pipe to you is so big
"new vulnerabl
I've been pretty disappointed with some of the responses on this issue.
Yes, we filter both incoming and outgoing 1434 udp. No, we cannot keep
doing that forever, the router CPU utilization is pretty high. We only
logged for a couple of hours before turning that off (weeks ago)
I'm of t
On Fri, 21 Feb 2003 17:25:46 -0500
William Allen Simpson <[EMAIL PROTECTED]> wrote:
> I've been pretty disappointed with some of the responses on this
> issue.
Maybe you won't like this one either, but here goes.
I'd be very interested in hearing how opeators feel about 'pushback'.
It may mak
> I'd be very interested in hearing how opeators feel about 'pushback'.
the only interesting thing i have seen in this space
randy
On Fri, 21 Feb 2003, William Allen Simpson wrote:
> I've been pretty disappointed with some of the responses on this issue.
:-)
> I'm of the technical opinion that everyone will need to filter outgoing
> 1434 udp forever.
Forget it. That's a port used for legitimate traffic. Besides, filtering
I'll bite..
- Original Message -
From: "William Allen Simpson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 21, 2003 2:25 PM
Subject: Re: M$SQL cleanup incentives
[snip]
> I'm of the technical opinion that everyone will need to
Doug Clements wrote:
> Which is it? Where do you draw the line between something that's big enough
> to block forever and something that's not worth tracking down?
Where it causes a network meltdown. The objective reality is pretty
clear to some (many? most?) of us.
> You lambast
> him for a
On Sat, Feb 22, 2003 at 09:25:24AM -0500, William Allen Simpson wrote:
> Doug Clements wrote:
> > Which is it? Where do you draw the line between something that's big
enough
> > to block forever and something that's not worth tracking down?
>
> Where it causes a network meltdown. The objective re
On Sat, 22 Feb 2003, Doug Clements wrote:
> The issue I had with your argument is "forever". You should realize as well
> as anyone that the course of software development and implementation will
> mitigate the threats of the slammer worm until it's nothing more than a bad
> memory.
Unlikely in
Thus spake <[EMAIL PROTECTED]>
> If your network is able to contain slammer infected boxes without
> melting down, who cares if you have a few infected customers? You
> don't need to filter, and they'll all be encouraged to fix their systems
> sooner.
As one hoster put it to me, DoS and worm tra
Doug Clements wrote:
> I see. So you're still filtering port 25 from the Morris sendmail worm.
>
Funny thing, I was a researcher visiting at Cornell, and had just left
in the car for the 9.5 hour drive home when it struck. I've often
wished I'd stuck around for a few more hours for the exciteme
On Sat, 22 Feb 2003, Stephen Sprunk wrote:
> As one hoster put it to me, DoS and worm traffic is billable so it's not in
> the hoster's interests to protect customers -- quite the opposite in fact.
Whether or not the traffic is billable is irrelevant if your network is
effectively down. One in
Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
>
> On Thu, 20 Feb 2003, William Allen Simpson wrote:
>
> > Worse, it only takes 1 infected host to re-infect the entire net in
> > about 10 minutes. So, the entire 'net has to cooperate, or we'll see
> > continual re-infection.
>
> Only if peopl
Yo Joshua!
On Thu, 20 Feb 2003, Joshua Smith wrote:
> i still get 8K plus hits against my acls per day for udp/1434...(75 in the
> time it took to write this email)
You are probably doing as much damage as good.
udp/1434 is not a reserved port. A lot of what you are blocking is legit
traffic t
On Thu, 20 Feb 2003, Joshua Smith wrote:
> > Only if people didn't fix their servers. And if they didn't, this
> > "reverse" denial of service attack is a good reminder.
> what was that one worm from a year or two ago that was eliminated from the
> net, oh yeah, code red..if they didn't fix
it isn't legit for what i have in my network though :-)
"Gary E. Miller" <[EMAIL PROTECTED]> wrote:
> Yo Joshua!
>
> On Thu, 20 Feb 2003, Joshua Smith wrote:
>
> > i still get 8K plus hits against my acls per day for udp/1434...(75 in
the
> > time it took to write this email)
>
> You are proba
I think the bigger issue for all of the M$SQL
customers will be the new licensing fees they get
stuck with...
http://www.theregister.co.uk/content/53/29419.html
-David Barak
fully RFC 1925 compliant
--- Joshua Smith <[EMAIL PROTECTED]> wrote:
>
> it isn't legit for what i have in my network th
> Date: Fri, 21 Feb 2003 09:53:59 -0800 (PST)
> From: David Barak <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
>
>
> I think the bigger issue for all of the M$SQL
> customers will be the new licensing fees they get
> stuck with...
>
> http://www.theregister.co.uk/content/53/29419.html
It co
> On the other hand, Timeline's case is YEARS old and they are going
> after treble damages from companies who just took Microsoft's word
> that there was nothing to worry about. Some people should be VERY
> nervous, indeed.
Thats the part that worries me greatly. This general idea may apply
to
> Date: Fri, 21 Feb 2003 14:02:09 -0500
> From: "Johannes Ullrich" <[EMAIL PROTECTED]>
>
>
> > On the other hand, Timeline's case is YEARS old and they are going
> > after treble damages from companies who just took Microsoft's word
> > that there was nothing to worry about. Some people should
> > udp/1434 is not a reserved port. [...] legit
> > traffic that picked a random port to use for an ad-hoc use.
>
> it isn't legit for what i have in my network though :-)
Really? So you're blocking udp/1434 both in and out?
Got any DNS servers on your network? Any of your desktop clients use
BB> Date: Fri, 21 Feb 2003 14:08:46 -0600 (CST)
BB> From: Bryan Bradsby
JS> it isn't legit for what i have in my network though :-)
BB> Really? So you're blocking udp/1434 both in and out?
BB>
BB> Got any DNS servers on your network? Any of your desktop
BB> clients use DNS?
s/DNS/UDP-based ser
On Sat, 22 Feb 2003, E.B. Dreger wrote:
> BB> Recent versions of un*x BIND will pick a random port above
> BB> 1024 for udp conversations. It can and has picked 1434.
>
> Standard socket(2) behavior. BIND [hopefully] runs chown(2)ed,
> so the source port number must be >= 1024.
At startup, name
> BB> DNS clients will eventually timeout and fall back to another
> BB> server, so any problems would be transient, but the packets
> BB> were legit, right?
>
> Stateful packet filters are nice. Properly written, they protect
> both inbound and outbound traffic and need to track very little
> s
Bryan Bradsby <[EMAIL PROTECTED]> wrote:
> > > udp/1434 is not a reserved port. [...] legit
> > > traffic that picked a random port to use for an ad-hoc use.
> >
> > it isn't legit for what i have in my network though :-)
>
i should clarify this - my data center has www/dns/ftp servers and a bun
On Sat, 22 Feb 2003, William Allen Simpson wrote:
> > I see. So you're still filtering port 25 from the Morris sendmail worm.
>
> Funny thing, I was a researcher visiting at Cornell, and had just left
> in the car for the 9.5 hour drive home when it struck. I've often
> wished I'd stuck around fo
Sean,
Plus ca change, plus c'est le meme chose.
Of course the past is with us: look at Bob
Metcalfe's RFC 602 (1973). Have we fixed
anything over the nearly 30 years? How
recently have you seen a password on a Post-It?
How many folks have their spouse's/significant other's/
offspring's nam
29 matches
Mail list logo
