[ Lengthy, but it's not like I'd bother you daily. ,-) ] On Fri, 25 Feb 2000 Valdis.Kletnieks@vt.edu wrote:
Smurf came along in what, 1996? And www.pulltheplug.com and www.netscan.org both are finding enough networks STILL vulnerable that they find it interesting to tabulate.
Indeed. Though, smurf seems to be becoming too old-fashioned for people to bother using it anymore. At least here the greater problem is with DDoS, because no clear rulesets can be established to prevent it to the degree necessary as is obvious. I'm betting DDoS will become even more of a headache when IPv6 gains wider usage and simultaneously as taking advantage of the v4 smurf-amplifiers just won't do the job anymore. Kids seem to be finding their way to IPv6, just as well, as days pass. For a while it seemed like a puzzling security by obscurity thing when I transferred a bunch of my hosts to IPv6 only. Admittedly the tcp/ip-stack still wants a v4 IP, but that I have under 192.168.x and plays by itself no great risk. It was a setback of a kind for the people trying to pester the box, they would mostly have to stick to the easily modified tools that do not exploit any direct problems with the protocol, instead they just go for exhausting the CPU by bugging the services running on the box. That is - if they manage to get IPv6 set up for themselves. I'm very much thinking it's a good time for people to begin looking at IPv6 and its basics if all haven't done it yet. It would be a shame if the bad guys had been on the road with the protocol for longer than some of us. ,) Also, there's still time for a little thinking on how things are to be done with no need to rush, time to let things evolve.
[...pulltheplug...]
under 200 replies. And the guy hasn't started on arin/ripe/apnic allocated space yet.
I may be missing something obvious, but I was actually under the impression the scanning was already all complete until they go for a rerun later. Everything down to /26's have been mapped, as far as I recall.
If ISPs and users had clues, we wouldn't have as big a potential DDoS problem. Oh, and this just in:
Notably users. I'm currently trying to deal with PPark (PrettyPark, a Windows virus|trojan). It automatically spreads itself via e-mail and keeps gaining more and more infections by the day. It is nasty. It wouldn't be much of my cake, but the virus unfortunately has been set to connect to one of the servers I administer to receive attack-coordinates and all that (the server refuses them right after they have been succesfully identified on connect). Doesn't sound quite nasty? It is - just to put people on the scale, we have _ninety-thousand_ unique hosts rapidly connecting to our server and practically bringing the server's accessibility down to its knees. If 90 000 of them opening a connection a server can do that, I must wonder what is their practical efficiency if people were to ever have control over them and use them for malicious purposes. Some weeks ago, I did a compilation of ISPs/TLDs involved. I, however, stripped the hostnames out to protect the innocent and to stop people from misusing that information. Brief stats are available at http://www.vip.fi/~viha/Stats/PPark_ISP.txt and http://www.vip.fi/~viha/Stats/PPark_TLD.txt These are Windows-hosts, not running any virus-detection by the looks of it. Some quotes might include -- % cat PPark_ISP.txt | egrep -i "\\.(gov|mil|int)"|head -3 10 navy.mil 4 nih.gov 4 army.mil % cat PPark_ISP.txt | head -3 4389 aol.com 4172 hinet.net 1732 com.sg Oh, before you suggest routing them to null - be warned we have tried a few things. We were quite lucky, and most of them only showed a quick way to a table overflow. As for contacting antiviral-companies, the one we were in contact with didn't show much but the compulsory 'I see.'
Valdis Kletnieks
-- IPv6 Solutions | Security Coordination Ville(viha@cryptlink.net, "Cryptlink Networking");