[55983] in North American Network Operators' Group
M$SQL cleanup incentives
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Thu Feb 20 13:26:14 2003
Date: Thu, 20 Feb 2003 12:51:52 -0500
From: William Allen Simpson <wsimpson@greendragon.com>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
M$SQL is different from other infections mentioned, as it hits the
entire net so quickly. The only thing keeping it in bay is widespread
backbone filtering, which isn't feasible in the long term.
Just like random source addresses, the only answer is edge filtering
(preventing the bad packets from reaching the backbones).
Worse, it only takes 1 infected host to re-infect the entire net in
about 10 minutes. So, the entire 'net has to cooperate, or we'll see
continual re-infection.
Unfortunately, this is a cost that prevents pain to others, rather
than self-inflicted pain. Another pollution of the commons issue.
Johannes Ullrich wrote:
> We are doing that with the reports we get for DShield. However, in particular
> with consumer ISPs, there does not seem to be too much effort to notify
> infected customers.
>
That is the problem! There are only 2 incentives that I'm aware of:
1) blocking routing to that AS (fast).
2) sue the AS as a nuisance (slow).
It has been 3 weeks. Those that haven't implemented edge filtering are
bad actors, and need an incentive to clean up their act.
> On the other hand, how hard is it for an ISP to monitor port 1434 and call
> up a customer whenever there is a 'flareup'? I think this would be the easiest
> way to get rid of this problem. I see that port 80 / code red is harder as
> it essentially requires content inspection. But Sapphire should be rather
> easy to detect by watching outbound traffic.
I agree!
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
