Iljitsch van Beijnum <iljitsch@muada.com> wrote:
On Thu, 20 Feb 2003, William Allen Simpson wrote:
Worse, it only takes 1 infected host to re-infect the entire net in about 10 minutes. So, the entire 'net has to cooperate, or we'll see continual re-infection.
Only if people didn't fix their servers. And if they didn't, this "reverse" denial of service attack is a good reminder.
what was that one worm from a year or two ago that was eliminated from the net, oh yeah, code red......if they didn't fix themselves the first round, what makes you think they will fix it the second time, or the third...
Unfortunately, this is a cost that prevents pain to others, rather than self-inflicted pain. Another pollution of the commons issue.
Seems to me that filtering is no longer necessary unless you have reason to believe your customers are going to install new vulnerable boxes or vulnerable software on existing boxes AND their pipe to you is so big the excess traffic is going to hurt you more than them.
the reason is that ms sql and msde are vulnerable out of the box, and since ms is such a popular o/s, you can be reasonably certain that new vulnerable boxes are installed everyday. and while a vulnerable box on a small pipe may slow the initial growth, how long would it take to find another vulnerable box on a big pipe? i still get 8K plus hits against my acls per day for udp/1434...(75 in the time it took to write this email) joshua "Walk with me through the Universe, And along the way see how all of us are Connected. Feast the eyes of your Soul, On the Love that abounds. In all places at once, seemingly endless, Like your own existence." - Stephen Hawking -
Yo Joshua! On Thu, 20 Feb 2003, Joshua Smith wrote:
i still get 8K plus hits against my acls per day for udp/1434...(75 in the time it took to write this email)
You are probably doing as much damage as good. udp/1434 is not a reserved port. A lot of what you are blocking is legit traffic that picked a random port to use for an ad-hoc use. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
On Thu, 20 Feb 2003, Joshua Smith wrote:
Only if people didn't fix their servers. And if they didn't, this "reverse" denial of service attack is a good reminder.
what was that one worm from a year or two ago that was eliminated from the net, oh yeah, code red......if they didn't fix themselves the first round, what makes you think they will fix it the second time, or the third...
Their link to the net is unusable if they're infected so not doing anything is not an option. If a box is going to be infected, we want it to happen immediately upon installation. Friday night late is no fun... (Un)fortunately, the number of worm packets still coming in is too low for this (about 1 per second for a /19, so it takes a few hours on average for an IP address to be hit.) Also unfortunate is the fact that the worm has shown it can bypass many filters. It's not clear how exactly, but I guess it has something to do with broadcasts or multicasts. So depending on a filter to protect vulnerable boxes isn't an entirely safe approach, especially if there is a lot of infrastructure between the filter and the box. Maybe the best approach is to try and deliberately infect the entire local net every few minutes or so to detect new vulnerable systems while the people installing them are still on the premises.
participants (3)
-
Gary E. Miller
-
Iljitsch van Beijnum
-
Joshua Smith