Re: Large ISP response to Code Red?

From: Seth Arnold (sarnoldat_private)
Date: Mon Jul 30 2001 - 17:54:43 PDT

  • Next message: kath: "Re: Large ISP response to Code Red?"

    On Mon, Jul 30, 2001 at 05:21:09PM -0700, Jon O . wrote:
    > As we all have seen the call to action regarding Code Red and the
    > next infection phase, I'm wondering what kind of action has been
    > taken by the large ISPs to deal with this issue?
    
    I can't speak for the ISPs, but my guess is: very little. The attack
    looks like a standard web request without filtering the packets
    in-depth, which is both expensive and likely more intrusive than most
    customers would like.
    
    Consider also: changing one byte could make the thing impotent. Changing
    several bytes could make it much more viralant. (Note the two strains.)
    Changing many bytes could make its eventual DDoS attack much more
    powerful (e.g., perform a DNS lookup on www.whitehouse.gov this time
    around to get any attempts at nullrouting the single IP).
    
    When does one say, "oh, this is safe data for my clients" or "hey, this
    isn't safe for my clients"?
    
    > Have these ISPs confirmed they have taken action to prevent 
    > an even worse reinfection phase than the first time and if not
    > why?
    
    All they can really do is educate their users. I'd hope everyone has
    heard of the problem by now. I further hope people head to Microsoft's
    site to download all the service packs and hotfixes and patches. Yes, it
    will take a long time, but I think everyone will tend to agree it is
    worth the time spent upgrading.
    
    > This is a real case of either being part of the problem or part
    > of the solution and I believe these ISPs should be accountable for
    > their own bandwidth.
    
    They are. They pay for their peering agreements with other ISPs, so it
    makes sense for them to try to educate their users to the best of their
    abilities -- otherwise, they wind up paying for more bandwidth used by
    their clients, which ends up charging the clients more.
    
    I think picking on the ISPs is the wrong approach. Ask Microsoft why it
    took over a month before their patches were applied to nearly half a
    million systems.[1] Ask Microsoft why they don't perform better code
    audits to find the gaping holes in their software. But don't bother the
    ISPs too much -- if they start blocking OS/WebServer specific yet
    RFC-compliant traffic, their customers may not like the intrusion. (I
    know I don't want my web traffic scanned to protect people who don't
    patch their systems...) 
    
    <much more rant>
    I am honestly surprised no one has filed a lawsuit against Microsoft for
    all the lost billions I hear about every time a melissa or kournikova or
    code red gets in the wild.
    </much more rant>
    
    Cheers.
    
    
    [1] they put an awful lot of effort into copyprotection .. how about
    'forced upgrade protection', that disables internet connections when
    computers are unpatched for 14 days after release of a patch? Or how
    about machines that automatically apply patches? Or email administrators
    every time a patch is released? 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 18:59:07 PDT