Web Servers initiate outbound connections all the time in a B2B application. Such Application behavior is getting more commonplace all the time. Vulnerability is a matter of attack type. Any compromise should count as success, but that is a different matter. Speed of propagation is what Flash and Warhol is all about. How to slow down such types of worms is a tough nut to crack. Trending in Application behavior by a Firewall seems like a likely method. Comparing normal inbound request rate and outbound rate trends for a particular Application could trip an alert notifying the administrator that there may be a host that has been compromised. Perhaps it could be made faster by noting the IP packet rates rather then making the Firewall Application aware (whatever). However, that is only the aftermath. I don't think prevention is possible without knowing ahead of time the exploit. ---K Bruno Treguier wrote: > Stuart Staniford wrote: > > > Agreed - we're only talking about saturation of the hosts that can actually > > be attacked from the Internet, are vulnerable to whatever exploit the worm > > has, are currently connected to the Internet, and have publically routable > > static Internet addresses. What we're arguing is that the worm can reach > > all of those hosts that it's going to reach in O(30secs) if it's small and > > uses the kind of strategies we discuss. > > Hello Stuart, > > Being vulnerable to a given exploit and having a public and routable IP > address are of course 2 necessary conditions, but they are not sufficient: > the infected host must be able, in his turn, to infect other machines, and > this, as far as most services are concerned, can be prevented or at least > limited by an efficient filtering policy: why, for example, would a web server > be allowed to initiate an outbound connection (except in very special and rare > cases) ? > Ok, in the case of a mail server, this argument may be of a lesser importance, > though, as most of them are inbound AND outbound. :-) > > Or maybe I simply misunderstood the term "vulnerable host", which may mean > "host that can be infected and that can infect in his turn" ? > > Best regards, > > Bruno > > -- > -- Service Hydrographique et Oceanographique de la Marine --- EPSHOM/INF > -- 13, rue du Chatellier --- BP 30316 --- 29603 Brest Cedex, FRANCE > -- Phone: +33 2 98 22 17 49 --- Email: Bruno.Treguierat_private > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:20:24 PDT