Matthew S. Hallacy wrote:
How was this traffic causing harm to your network? I'd rather have them dealing with people actively breaking into systems, DoS'ing, etc than terminating some customer who's probably infected with the latest microsoft worm.
Worm control is important. If we let them run rampant, then they will build up to a critical mass and become DOS quality. One of my transit customers was ignoring the worm reports I was sending him. Interesting enough, he DOS'd his own routers as several of the people infected were behind NAT generating 11,000 connections in less than a minute. Ever seen a C3640 with 11,000 NAT translations? In this case, it's a customer that didn't have high end equipment. If he'd had high end equipment, then others would suffer the performance hit, not to mention extra noise making it harder to detect purposeful scans and attacks. Some worms, like Code Red, cause a DOS on web enabled equipment as well. The F variant, for example, will shut down Net2Net dslams, some cisco equipement, and I'm sure a lot of other things. -Jack