On Tue, 6 Mar 2007, Mikael Abrahamsson wrote:
Customer gets hacked, one of their boxen starts spewing traffic with spoofed addresses. The way I understand your solution is to automatically shut their port and disrupt all their traffic, and have them call customer support to get any further.
Do you really think this is a good solution?
I don't see any customer with a choice continuing having a relationship with me if I treat them like that. It will cost me and them too much.
So instead I just drop their spoofed traffic and if they call and say that their line is slow, I'll just say it's full and they can themselves track down the offending machine and shut it off to solve the problem.
Compromised systems rarely have one thing wrong with them, and delaying the pain just makes things worse. Drop spoofed traffic, and they send non-spoofed packets. Block port 25, and they send slammer on port 1434 Block messenger port 1025, and they send DNS DOS on port 53 Block irc bots port 6667, and they send VOIP spam port 5060 and so on and so on. <http://www.washingtonpost.com/wp-dyn/content/article/2007/03/08/AR2007030802012.html> The fast-spreading virus infected as many as 200 county computers Wednesday, and technicians shut down the entire network for Anne Arundel offices for more than 24 hours. http://msmvps.com/blogs/donna/archive/2006/02/12/83332.aspx One day last year, things started going haywire at Northwest Hospital and Medical Center. Key cards would no longer open the operating-room doors; computers in the intensive-care unit shut down; doctors' pagers wouldn't work. It turns out the Seattle hospital's computers . along with up to 50,000 others across the country . had been turned into an army of robots controlled by 20-year-old Caused by "known" vulnerabilities with patches available, but the customers decided it wasn't "important" enough to take action before they lost everything. Is it really customer service to avoid the issue?