codered/nimda blocking

[ddm at pizzashack.org (Derek D. Martin)]

On Tue, Nov 06, 2001 at 10:58:02AM -0500, Patrick McManus wrote:
> [Peter R. Wood: Tue, Nov 06, 2001 at 10:27:03AM -0500]
> > 
> > So we contacted our ISP (Genuity) and asked them if they could set this up
> > on our routers. They refused, saying that they didn't think the routers
> > were the right place to handle this problem, and suggested we set up a
> > firewall. (Why would Cisco give their routers this capability, then?)
> 
> to answer your question (why would cisco..?): nabr for CR plays a
> security role by protecting vulnerable servers from attack, but it has
> horrible efficiency properties.. since you have a performance problem,
> not a security problem, its not the right fix for you.

The only way I can see to solve the problem is to make sure the
packets don't get onto the subscriber's network; i.e. the only way to
fix this that I can see is to filter the traffic at the ISP's upstream
router.  If you have a different/better solution, I'd be interested in
hearing it.

Actually it depends on the bottleneck -- if the problem is overall
bandwidth the above would be true.  If the problem is only load on the
servers, and there is enough bandwidth, a firewall capable of
application-level filtering on the subscriber's network should do the
job.

-- 
Derek Martin               ddm at pizzashack.org    
---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org