On Fri, 21 Feb 2003, William Allen Simpson wrote:
I've been pretty disappointed with some of the responses on this issue.
:-)
I'm of the technical opinion that everyone will need to filter outgoing 1434 udp forever.
Forget it. That's a port used for legitimate traffic. Besides, filtering on port numbers is a flawed proposition to begin with. The fact that it more or less works is just luck. Too bad we can't filter on competence.
Now, some folks have expressed the opinion we should just all drop filters and let the infected machines DoS our networks, hoping against experience that the miscreant customers will notice their bad machines and fix them promptly.
That's technically incompetent!
Thank you. I agree that at this time it is often not feasible to simply not filter. But that's certainly the place I want to be in the future. If a customer wants to spew out 50 Mbps worth of UDP I don't want that to influence my network. So either I forward the traffic and the customer pays for the bandwidth or I rate limit it and they live with the packet loss.
For one thing, experience shows that the miscreant won't notice they're infected for DAYS! Why do you think there are 20K+ still infected?
Most of those are dial-up so their traffic isn't all that much and they're hard to track down. Depending on how the OS works, such a host may not even experience a very significant slowdown.
For another thing, I'm happy for all those of you that have such huge resources to overspecify your networks and equipment. The rest of us were swamped. We don't have any (that's right: zero zip nil) M$ machines in the operational network (only Linux, *BSD, Macs), and we still lost all accounting, network management, and basic services, until the border filters were in place.
Strange. By the way: I manage ~ 4 networks. One just upgraded to "huge resources" and they didn't feel the extra 100 Mbps traffic from two infected customer boxes (I filtered it anyway, good netizen as I am). Another has more or less adequate resources; one router also had 2 infected boxes on the local network but this one could handle it. The next router (behind a 1:3 funnel) had a meltdown even though the hardware is identical. Always use CEF, kids. Two other networks are more or less underpowered, but no real trouble (one also with two infected boxes).