With regard to the legality of sending back such packets I have to laff, and hard at this. Your certainly under some misguided Idea that the laws have actually any presidense in this case, that is regarding sending back
Who was/is talking about a DOS??? I wasn't. Your impling that my fix (which doesn't work and I've gotten many responses about having "tried that") causes a DOS. Um, Please re-evaluate the data I have shared. There is NOTHING I have offered that is not already known. You come to my website, ask for a file (default.ida) and I send it to you, Wheres the DOS in that? Legal or not, Um, next case... -----Original Message----- From: Christian Kuhtz [mailto:ck@arch.bellsouth.net] Sent: Sunday, August 19, 2001 2:34 AM To: Joe Blanchard Subject: Re: Code Red 2 Erratication On Sun, Aug 19, 2001 at 02:02:10AM -0700, Joe Blanchard wrote: packets
to an attacking party that kills their OS.
The infected host is not what matters, and none of my recent statements have been about 'killing somebody's OS' if you read them carefully. As I tried to explain to you before, hypothetically speaking, if you happen to take out, say, a DSL cloud (if you had a larger pipe or used different method of responding to the probe which wasn't as bw intensive and caused greater damage proportional to bw used), perhaps take the ATM cloud out with it because of, for instance, massive demand for bw.. you're in essence enacting a DoS and are subject to the same sort of procedures with which DoS are responded to. I'm amazed your providers aren't taking the same steps with your current problem. Further, if perhaps you end up taking out vital national infrastructure with your attack you will end up facing the consequences (remember, some of the ckts used for inet traffic share resources with the rest of the world). A DoS in response to a DoS can also lead to your networks being cut off from the rest of the world as well. Significant backlash in various colors is not far fetched at all. These scenarios have been discussed quite frequently in various forums as well as in various legal departments, and depending on the circumstances there are legal issues you might want to consider. You might want to consult those in your legal department with background in telecommunications litigation. Go ahead, test the legal system. I am not making this up. It's your choice, not mine. I am trying to share information with you in the hope that it may help you understand the shortcomings of your approach and perhaps helps you find a better solution. It may be worthwhile to take up the typical emergency response procedures and do things like summarize the ip addrs of the offending hosts with individual date/timestamps and submit them to providers with the remark that they are causing a DoS on your network. The fact that your direct providers aren't willing to help you as the customer is very regrettable. You might also have angles by engaging your legal department depending on what sort of contracts you have with your provider(s). Contesting the billing sometimes gets a provider's attention. I don't see why escalating thru your provider up the food chain doesn't get you results. The reply that it is 'too difficult' most certainly doesn't ring true in this matter. I don't speak for or represent BellSouth. The Security & Abuse team @ BellSouth.net can be reached at abuse@bellsouth.net and in general that should be your primary point of contact if you have issues with BellSouth.net customers. If you have any problems with BellSouth.net responding to your requests feel free to contact me and perhaps I can help with the escalation. If you have any other questions, send them on. -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. I speak for myself only."
On Sun, Aug 19, 2001 at 02:49:05AM -0700, Joe Blanchard wrote:
Who was/is talking about a DOS??? I wasn't. Your impling that my fix (which doesn't work and I've gotten many responses about having "tried that") causes a DOS. Um, Please re-evaluate the data I have shared. There is NOTHING I have offered that is not already known. You come to my website, ask for a file (default.ida) and I send it to you, Wheres the DOS in that? Legal or not, Um, next case...
[.. fragment of private thread deleted ..] *sigh* The answers are in your inbox. I'm signing off from this thread now, it's gotten just a little too surreal for me after we've been discussing this for the past several hours in a private thread. Joe, you win. I'm such an idiot for once again being trolled by a net.kook. Please, somebody turn up the noise level (another spam flame war, yes? please?) to drown out the pain before the rest of the NANOG flame horde chimes in. Is there a cure for this or is it terminal? :^) Foolishly trolled, Chris -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only."
At 2:49 am -0700 19/8/01, Joe Blanchard wrote:
Who was/is talking about a DOS??? I wasn't. Your impling that my fix (which doesn't work and I've gotten many responses about having "tried that") causes a DOS. Um, Please re-evaluate the data I have shared. There is NOTHING I have offered that is not already known. You come to my website, ask for a file (default.ida) and I send it to you, Wheres the DOS in that?
Legal or not, Um, next case...
There is an Apache module for dealing with CodeRed in a civilised way: from ApacheWeek: Continuing requests for /default.ida We continue to get a large number of messages from system administrators who see requests for /default.ida in their Apache access logs. The requests look similar to this: 192.168.2.12 - - [19/Jul/2001:16:55:47 +0100] "GET /default.ida?NNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 - If you are running Apache there is nothing to worry about, these requests are part of the [5]Code Red Worm designed to search out vulnerable IIS servers running on Windows. You can quite happily ignore these requests, or [6]get them back 6. http://www.apacheweek.com/issues/01-08-17#featured 9. http://www.onlamp.com/pub/a/apache/2001/08/16/code_red.html Featured articles In this section we highlight some of the articles on the web that are of interest to Apache users. Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not a new B-grade movie but how you can be a good internet citizen and let people know that their server has been infected by the Worm. One way is by using Apache::CodeRed written by Reuven M. Lerner. In this article, he explains how the module intercepts requests for /default.ida, determines the host name of the HTTP client, sends only one warning e-mail message in a 24-hour period to SecurityFocus and the administrator of that client, and keeps a list of IP addresses to be ignored. -- Regards f
[ On Sunday, August 19, 2001 at 11:56:57 (+0100), Fearghas McKay wrote: ]
Subject: RE: Code Red 2 Erratication
Fancy a role in Episode 2, Attack of the Code Red 2 Worm? No, this is not a new B-grade movie but how you can be a good internet citizen and let people know that their server has been infected by the Worm.
It is very impolite to send automated notifications, even one per day, especialy if dozens, or hundreds, or millions of Apache users all start doing this. Indeed the result could be worse for the net in general than CR itself. At least CR only affects the lame software that can be affected. Haven't we learned anything yet from the days when people wrote scripts to try and report DNS errors by parsing their named logs and e-mailing back to the zones that appear to have the problems? -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
participants (4)
-
Christian Kuhtz
-
Fearghas McKay
-
Joe Blanchard
-
woods@weird.com