[ale] New worm destablized Internet
James S. Cochrane
cochrane at mindspring.com
Sun Jan 26 16:07:04 EST 2003
At 02:35 PM 1/26/03 -0500, you wrote:
>On Sat, Jan 25, 2003 at 09:10:40PM -0500, James S. Cochrane wrote:
> > I just spent four hours at work, none of our Unix servers were DIRECTLY
> > impacted, but the amount of broadcast traffic did impact our networks, and
> > convinced several of our HA systems that they were experiencing network
> > outages (mainly seemed to impact HP boxes, going to have to look into
> > whether there are problems with HP-UX 11.0's network stack).
>
>That sounds like a bug or design flaw in your HP boxen. I would bet that
>the problem is not in the network stack but rather in some high level
>non-kernel code that was not designed well.
Wouldn't surprise me... HP-UX seems to have several areas where it is
severely lacking when compared to other Unix OS's (still better than the
SCO I was dealing with the first time I ever met you, though, when you
consulted for my first IT employer back in '95 or '96... Would you believe
that Consolidated Traffic Management Systems managed to hang on until 2000
or 2001?). I noticed the problems on an MC Service Guard cluster and a
cluster running Veritas Cluster Services, the Sun clusters running VCS
didn't have much problem, although one did spit out a few
warnings. Fortunately, this may finally be the impetus to get upper
management to let us make some network changes we've been advocating for a
while, as well as accelerate some changes that were already in the pipeline...
>I've done a lot of work with high availability and it should not fail
>this way from this worm. It should take, at least, an amount of traffic
>exceeding the network bandwidth of your boxes by a factor of 2-10 before
>failure occurred. This is unlikely unless you have a T3 feed.
Allegedly we were seeing enough traffic to give our routers problems... Of
course, we're in the process of redesigning our internal network to get
away from some poor configurations done by the network admins at our parent
corporation, which probably contributed to our overall problems. The fact
that we're on shared network segments with related companies means we're
exposed to their network insecurities, which is why we were already
migrating to our own ring to connect datacenters... But this isn't the
first problem I've seen with the HP boxes and networking, I've had some
issues with Veritas volume replication where connections were dropping due
to lost heartbeats or somesuch... Veritas hasn't given me a clear answer
yet, but I've only got 9 volume groups (relatively low rates of change)
being replicated on a dedicated pair of OC-3's from the HP boxes, I've got
two larger volume groups being replicated on Sun's with no issues...
James
> > So it might
> > not be impacting the ATM network directly, but could be impacting the
> > back-end networks where their servers are, preventing the ATM's from
> > connecting to verify account balances and funds available, etc...
>
>The only scenario I could see (that did not involve stupidity on B of A's
>part, like being vulnerable to the worm) was if their ATMs are connected
>to the servers over the Internet via a VPN and the 1434 noise flooded the
>bandwidth.
>
> > James
>Bob
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list