RE: Good Job, White House!
IMHO "fixing" whitehouse.gov scales much better than "fixing" *.mil in a number of interesting ways. YMMV -Al -----Original Message----- From: Alan Clegg [mailto:alan@clegg.com] Sent: Monday, July 23, 2001 8:24 PM To: nanog@merit.org Subject: Good Job, White House! According to: http://abcnews.go.com/sections/world/DailyNews/militarycyberattack_010723.ht ml
In recent weeks, variations of the virus are believed to have infected at least 225,000 business and institutional computer systems. Last Thursday, infected computers were instructed to flood the White House Web site, but with minutes to spare the White House was able to protect itself.
I'm personally more pleased with the network operators that dealt with the problem. Thanks, Guys! I'm not exactly sure what the White House did. The above web page also confirms that http://*.mil:80 is currently unavailable. I guess the military should contact the White House to see how to go about fixing the problem. AlanC
Actually, what they did was disgustingly simple - it was observed that (1) the IP address, not the hostname, of www1.whitehouse.gov was hardcoded into the worm, and (2) the worm made a connection to port 80 on that IP address to make sure the host was live before launching the DoS. Given these two weaknesses, all that the whitehouse.gov admins had to do was move the server to a different IP, and nullroute the old IP. The worm tried to contact the old IP, couldn't open a socket, and quietly went dormant. I would expect that the next worm of this type will have neither of these vulnerabilities. -C
I'm personally more pleased with the network operators that dealt with the problem. Thanks, Guys! I'm not exactly sure what the White House did.
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
participants (2)
-
Christopher A. Woodfield -
Rowland, Alan D