Re: Large ISP response to Code Red?

From: Seth Arnold (sarnoldat_private)
Date: Tue Jul 31 2001 - 15:37:08 PDT

  • Next message: Cisco Systems Product Security Incident Response Team: "UPDATED: Cisco Security Advisory: "Code Red" Worm - Customer Impact"

    On Tue, Jul 31, 2001 at 02:57:18PM -0400, Jonathan A. Zdziarski wrote:
    > To reiterate, IMHO it's both the fault of the vendor and the ISP.  MS
    > *should* have had a patch out for this long before this happened.
    
    Microsoft had a patch available one month before the worm gained
    national news status. June 18th. The worm had its peak on July 19th
    (only as a result of a self-imposed 20th deadline .. how many more
    machines could have been involved had it waited until the 21st?)
    
    Sadly, it claimed only Microsoft Index Server 2.0 and Indexing Service
    in Windows 2000 as affected, with a note that Windows XP's Indexing
    Service is also vulnerable. Thus, folks that don't use MS's Index* Serv*
    product didn't bother. (And those are the folks that bother to receive
    security news from Microsoft. How many countless others don't bother?)
    Simply having the problem dll on the machine is sufficient, as far as I
    can tell.
    
    I still maintain ISPs cannot and should not be held liable for this
    perfectly legitimate http traffic. If any ISPs feel like making efforts
    to prevent the spread etc, great. That the one ISP mentioned here
    recently called their infected customers is simply amazing -- and if
    other ISPs wanted to follow suit, I would be pleased. But lets not force
    ISPs to do anything other than provide service to the internet.
    
    (And yes, if more ISPs want to perform ingress and egress filtering of
    RFC 1918 addresses, I'm all for that too. But that wouldn't have helped
    here.)
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 16:03:21 PDT