If you follow these steps outlined by SANS you should be able to successfully update and NOT get infected. This is short, easy, fully documented (with pictures :) http://www.sans.org/rr/papers/index.php?id=1298 Donald.Smith@qwest.com GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Henry Linneweh Sent: Tuesday, May 04, 2004 2:19 AM To: Eric Krichbaum; nanog@merit.edu Subject: Re: FW: Worms versus Bots
It is amazingly simply to pull an ethernet cable out of the back of your box to update a box from a CD.... especially in a suspect environment where you have had many problems.
I have had the displeasure of having had to go from box to box and clean each individually and while many problems were stopped by Netscreen at the door, we still had to run enterprise protection per machine as a second line of defense and separate domains in the company for greater protection between the groups.
-Henry
--- Eric Krichbaum <eric.krichbaum@citynet.net> wrote:
I see times more typically in the 5 - 10 second range to infection. As a test, I unprotected a machine this morning on a single T1 to get a sample. 8 seconds. If you can get in 20 minutes of
downloads you're
luckier than most.
Eric
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of william(at)elan.net Sent: Monday, May 03, 2004 11:49 PM To: Sean Donelan Cc: Rob Thomas; NANOG Subject: Re: Worms versus Bots
On Mon, 3 May 2004, Sean Donelan wrote:
] Just because a machine has a bot/worm/virus
On Mon, 3 May 2004, Rob Thomas wrote: that didn't come with
a ] rootkit, doesn't mean that someone else hasn't had their way with it.
Agreed.
Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product
activation codes and and and)? Connect to the Internet to download the
patches. Time to download patches 60+ minutes. Time to infection 5 minutes.
Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..).
Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed.
Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus.
Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers
And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)
Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for.
The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into "sleep" mode and will not active until some other date!
Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system.
-- William Leibzon Elan Networks william@elan.net
On Tue, 4 May 2004, Smith, Donald wrote:
If you follow these steps outlined by SANS you should be able to successfully update and NOT get infected. This is short, easy, fully documented (with pictures :) http://www.sans.org/rr/papers/index.php?id=1298
The risk is smaller, but still exists if you follow these directions for XP pre-SP2. See the Microsoft release notes for XP SP2 for details about the fix. If you do not have XP SP2, you need to disconnect your computer from the network prior to every boot cycle until it is fully patched.
At 10:54 AM 5/4/2004, Sean Donelan wrote:
On Tue, 4 May 2004, Smith, Donald wrote:
If you follow these steps outlined by SANS you should be able to successfully update and NOT get infected. This is short, easy, fully documented (with pictures :) http://www.sans.org/rr/papers/index.php?id=1298
The risk is smaller, but still exists if you follow these directions for XP pre-SP2. See the Microsoft release notes for XP SP2 for details about the fix.
If you do not have XP SP2, you need to disconnect your computer from the network prior to every boot cycle until it is fully patched.
A much simpler mechanism than that described by SANS is to have a small, cheap NAT box in your bag (e.g. D-Link DI-604 or similar). Worth the $50 cost to have one available. Put the little router between the new machine to be brought up and whatever network you have access to. Now you can bring up the new machine and update it without having it get instantly infected. (Use some common sense... don't set up email until the machine is patched, or use any other sort of mechanism to pull in potential viruses before patching is done). (To deflect the inevitable "NAT is not a firewall" complaints, the box is a stateful inspection firewall -- as all NAT boxes actually are).
(To deflect the inevitable "NAT is not a firewall" complaints, the box is a stateful inspection firewall -- as all NAT boxes actually are).
Hmmm, are you saying that the solution to many so-called Internet security vulnerabilities is for people to use an SI Firewall, aka Simple, Inexpensive Firewall, aka Stateful Inspection Firewall? One wonders why the DSL/cable router manufacturers haven't caught on to this idea before now. If the goal is to actually change people's behavior and get them to secure their own computers then a name change like SI Firewall is actually an important tool. There is a lot of bad press out there for NAT and I wouldn't be surprised if a lot of the amateur technicians of the world are advising their clueless friends not to use it. But if ISPs would promote the use of an SI Firewall (Simple, Inexpensive Firewall) to their customers then perhaps we can get more uptake and an overall improvement in security without fussing around with frenzied patching sessions. --Michael Dillon
On Wed, 5 May 2004 Michael.Dillon@radianz.com wrote:
(To deflect the inevitable "NAT is not a firewall" complaints, the box is a stateful inspection firewall -- as all NAT boxes actually are).
Hmmm, are you saying that the solution to many so-called Internet security vulnerabilities is for people to use an SI Firewall, aka Simple, Inexpensive Firewall, aka Stateful Inspection Firewall?
Its not a real solution, its just goes long way to reduce number of infections and how quickly some worms can spread (although NAT would have no efffect on spread of viruses by email so human factor is primary problem).
One wonders why the DSL/cable router manufacturers haven't caught on to this idea before now.
Its not manufacturers who did not caught up (in fact they did and offer very inexpensive personal dsl routers goes all the way to $20 range), its DSL providers who still offer free dsl modem (device at least twice more expensive then router) and free network card and complex and instructions on how to set this all up on each different type of pc. No clue at all that it would be only very marginally more expensive for them to integrate features of such small nat router into dsl modem and instead of offering PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler for many of those lusers with only light computer skills to set this all up. -- William Leibzon Elan Networks william@elan.net
Its not manufacturers who did not caught up (in fact they did and offer very inexpensive personal dsl routers goes all the way to $20 range), its DSL providers who still offer free dsl modem (device at least twice more expensive then router) and free network card and complex and instructions on how to set this all up on each different type of pc. No clue at all that it would be only very marginally more expensive for them to integrate features of such small nat router into dsl modem and instead of offering PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler for many of those lusers with only light computer skills to set this all up.
Agreed, We require a NAT device or true firewall on all DSL customer connections. We sell cheap Linksys boxes to customers or they can upgrade to a SonicWall. We don't use an Integrated modem/router because most of them are junk. You won't find a single Windows/Linux/Mac machine directly connected to our DSL network. I still like PPPoE for customer authentication because I can place individual packet filters or re-assign users to different contexts based on username/password authentication. PPPoE/NAT is a good combination. Couple that with 3 levels of virus scanning on our mail server has reduced the effects of virus and worm spread inside the networks we control. We still get viruses & worms to hit but it is at a more manageable rate. We are not a large provider by any means but I try my hardest to provide a solid network and protect the Internet from my users as much as possible. If only the users would not shop solely on price I would be all set :/ -Matt
-- William Leibzon Elan Networks william@elan.net
"william(at)elan.net" <william@elan.net> writes:
Hmmm, are you saying that the solution to many so-called Internet security vulnerabilities is for people to use an SI Firewall, aka Simple, Inexpensive Firewall, aka Stateful Inspection Firewall?
Its not a real solution, its just goes long way to reduce number of infections and how quickly some worms can spread (although NAT would have no efffect on spread of viruses by email so human factor is primary problem).
Note that Michael said "many", not "any and all". We do not tell people that washing your hands after using the bathroom and before handling food is "not a real solution" because it only protects against the spread of certain kinds of illnesses. ---rob
Any simple NAT (PNAT, to be correct) box decrease a chance of infection by last worms to 0. Just 0.0000%. O course, it does not protects very well from intentional attacks, and do not protect against e-mail bombs and java script exploints. In reality, having WIN2K after NAT box 100% time connected to internet is safer, than to have Windows with all patches installed every day, directly connected. Reason is simple: - when system after Win2K do not initiate internet connections, it is 100% safe; - when such system initiates internet connections, it expose only client-side ports and is not volnurable to any scans etc; So, I agree - NAT box is the very first _mandatiory_ thing at home; all other (fiorewaall etc) are not necessary fro most homehouses at all (but antiviruses are, if you have e-mail or use web).
On Wed, 5 May 2004 Michael.Dillon@radianz.com wrote:
(To deflect the inevitable "NAT is not a firewall" complaints, the box is a stateful inspection firewall -- as all NAT boxes actually are).
Hmmm, are you saying that the solution to many so-called Internet security vulnerabilities is for people to use an SI Firewall, aka Simple, Inexpensive Firewall, aka Stateful Inspection Firewall?
Its not a real solution, its just goes long way to reduce number of
infections
and how quickly some worms can spread (although NAT would have no efffect on spread of viruses by email so human factor is primary problem).
One wonders why the DSL/cable router manufacturers haven't caught on to this idea before now.
Its not manufacturers who did not caught up (in fact they did and offer very inexpensive personal dsl routers goes all the way to $20 range), its DSL providers who still offer free dsl modem (device at least twice more expensive then router) and free network card and complex and instructions on how to set this all up on each different type of pc. No clue at all that it would be only very marginally more expensive for them to integrate features of such small nat router into dsl modem and instead of offering PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler for many of those lusers with only light computer skills to set this all up.
-- William Leibzon Elan Networks william@elan.net
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
Any simple NAT (PNAT, to be correct) box decrease a chance of infection by last worms to 0. Just 0.0000%.
The problem is that Joe User (or his kid) wants to run some random P2P program without having to reconfigure NAT port mappings, so they have all inbound connections mapped to a static internal IP. When the worms come knocking, the connections go right through and the static IP system gets infected, which then infects the Mom's computer, etc.; then you have 2+ times as much worm traffic sourced from that single public IP because there are multiple computers scanning. NAT does help if you just put necessary port mappings in place (and only for "secure" protocols). -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
** Reply to message from Chris Adams <cmadams@hiwaay.net> on Fri, 7 May 2004 09:45:36 -0500
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
Any simple NAT (PNAT, to be correct) box decrease a chance of infection by last worms to 0. Just 0.0000%.
The problem is that Joe User (or his kid) wants to run some random P2P program without having to reconfigure NAT port mappings, so they have all inbound connections mapped to a static internal IP. When the worms come knocking, the connections go right through and the static IP system gets infected, which then infects the Mom's computer, etc.; then you have 2+ times as much worm traffic sourced from that single public IP because there are multiple computers scanning.
If Joe (L)User or his kid sets up his NAT that way... well, quite honestly he gets what he deserves. Protecting against active, deliberate stupidty is probably more than my job description coveres. I do get paid to clean up the mess afterwards however. And in at least one case I have set it up for a customer that they are behind a NAT that they can't reconfigure - 3 strikes and I was out of patience. But I suggest that in my experience the above sort of thing is relatively rare.
NAT does help if you just put necessary port mappings in place (and only for "secure" protocols).
I don't know about that last part - do you consider http and ftp to be secure protocols? -- Jeff Shultz A railfan pulls up to a grade crossing hoping that there will be a train.
Nothing (except a good spanking -:)) can help in such case. We are not talking about static NAT and inbound connections. I told about dynamic PNAT _only_.
Once upon a time, Alexei Roudnev <alex@relcom.net> said:
Any simple NAT (PNAT, to be correct) box decrease a chance of infection
by
last worms to 0. Just 0.0000%.
The problem is that Joe User (or his kid) wants to run some random P2P program without having to reconfigure NAT port mappings, so they have all inbound connections mapped to a static internal IP. When the worms come knocking, the connections go right through and the static IP system gets infected, which then infects the Mom's computer, etc.; then you have 2+ times as much worm traffic sourced from that single public IP because there are multiple computers scanning.
NAT does help if you just put necessary port mappings in place (and only for "secure" protocols). -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
participants (10)
-
Alexei Roudnev
-
Chris Adams
-
Daniel Senie
-
Jeff Shultz
-
Matthew Crocker
-
Michael.Dillon@radianz.com
-
Robert E. Seastrom
-
Sean Donelan
-
Smith, Donald
-
william(at)elan.net