[60412] in North American Network Operators' Group
Re: RPC errors
daemon@ATHENA.MIT.EDU (Jack Bates)
Mon Aug 11 18:47:09 2003
Date: Mon, 11 Aug 2003 17:43:10 -0500
From: Jack Bates <jbates@brightok.net>
To: Mark Segal <MSegal@Corporate.FCIBroadband.com>
Cc: "'Mike Damm'" <MikeD@irwinresearch.com>,
"'Drew Weaver'" <drew.weaver@thenap.com>,
"'nanog@merit.edu'" <nanog@merit.edu>
In-Reply-To: <7D65E2ADB9ADD4119CC200508BB1E0BC02A117B8@fwexch01.corp.futureway.ca>
Errors-To: owner-nanog-outgoing@merit.edu
Mark Segal wrote:
> I just put an access list on one of our cores with some spare cpu cycles..
> And 10% of the traffic looks like port 135 calls..... Anyone else see this?
> Did I break anything legitimate?
>
There is legitimate use for 135, although normally it is not used in the
wild much. From what I can see, the 10% traffic mark is about average
and should mostly be infected systems. I've seen some tight-in network
scans from one of my networks to the others (within the same /18). Still
monitoring loads before I decide to crank in lists between networks to
limit cross infection. Tomorrow starts the fun... EU contact.
I plan to open up inbound first and let user's get infected, tracking
and purifying my network for about a week, perhaps two. Then I'll reopen
the network for full traffic if it looks clean enough. Emergency "Good
Neighbor" policy. :)
-Jack
