On Mon, Jul 30, 2001 at 05:21:09PM -0700, Jon O . wrote: > As we all have seen the call to action regarding Code Red and the > next infection phase, I'm wondering what kind of action has been > taken by the large ISPs to deal with this issue? I can't speak for the ISPs, but my guess is: very little. The attack looks like a standard web request without filtering the packets in-depth, which is both expensive and likely more intrusive than most customers would like. Consider also: changing one byte could make the thing impotent. Changing several bytes could make it much more viralant. (Note the two strains.) Changing many bytes could make its eventual DDoS attack much more powerful (e.g., perform a DNS lookup on www.whitehouse.gov this time around to get any attempts at nullrouting the single IP). When does one say, "oh, this is safe data for my clients" or "hey, this isn't safe for my clients"? > Have these ISPs confirmed they have taken action to prevent > an even worse reinfection phase than the first time and if not > why? All they can really do is educate their users. I'd hope everyone has heard of the problem by now. I further hope people head to Microsoft's site to download all the service packs and hotfixes and patches. Yes, it will take a long time, but I think everyone will tend to agree it is worth the time spent upgrading. > This is a real case of either being part of the problem or part > of the solution and I believe these ISPs should be accountable for > their own bandwidth. They are. They pay for their peering agreements with other ISPs, so it makes sense for them to try to educate their users to the best of their abilities -- otherwise, they wind up paying for more bandwidth used by their clients, which ends up charging the clients more. I think picking on the ISPs is the wrong approach. Ask Microsoft why it took over a month before their patches were applied to nearly half a million systems.[1] Ask Microsoft why they don't perform better code audits to find the gaping holes in their software. But don't bother the ISPs too much -- if they start blocking OS/WebServer specific yet RFC-compliant traffic, their customers may not like the intrusion. (I know I don't want my web traffic scanned to protect people who don't patch their systems...) <much more rant> I am honestly surprised no one has filed a lawsuit against Microsoft for all the lost billions I hear about every time a melissa or kournikova or code red gets in the wild. </much more rant> Cheers. [1] they put an awful lot of effort into copyprotection .. how about 'forced upgrade protection', that disables internet connections when computers are unpatched for 14 days after release of a patch? Or how about machines that automatically apply patches? Or email administrators every time a patch is released? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 18:59:07 PDT