Re: Large ISP response to Code Red?

From: Seth Arnold (sarnold@wirex.com)
Date: 07/31/01 

Date: Mon, 30 Jul 2001 17:54:43 -0700
From: Seth Arnold <sarnold@wirex.com>
To: incidents@securityfocus.com
Subject: Re: Large ISP response to Code Red?
Message-ID: <20010730175443.S15481@wirex.com>

On Mon, Jul 30, 2001 at 05:21:09PM -0700, Jon O . wrote:
> As we all have seen the call to action regarding Code Red and the
> next infection phase, I'm wondering what kind of action has been
> taken by the large ISPs to deal with this issue?

I can't speak for the ISPs, but my guess is: very little. The attack
looks like a standard web request without filtering the packets
in-depth, which is both expensive and likely more intrusive than most
customers would like.

Consider also: changing one byte could make the thing impotent. Changing
several bytes could make it much more viralant. (Note the two strains.)
Changing many bytes could make its eventual DDoS attack much more
powerful (e.g., perform a DNS lookup on www.whitehouse.gov this time
around to get any attempts at nullrouting the single IP).

When does one say, "oh, this is safe data for my clients" or "hey, this
isn't safe for my clients"?

> Have these ISPs confirmed they have taken action to prevent
> an even worse reinfection phase than the first time and if not
> why?

All they can really do is educate their users. I'd hope everyone has
heard of the problem by now. I further hope people head to Microsoft's
site to download all the service packs and hotfixes and patches. Yes, it
will take a long time, but I think everyone will tend to agree it is
worth the time spent upgrading.

> This is a real case of either being part of the problem or part
> of the solution and I believe these ISPs should be accountable for
> their own bandwidth.

They are. They pay for their peering agreements with other ISPs, so it
makes sense for them to try to educate their users to the best of their
abilities -- otherwise, they wind up paying for more bandwidth used by
their clients, which ends up charging the clients more.

I think picking on the ISPs is the wrong approach. Ask Microsoft why it
took over a month before their patches were applied to nearly half a
million systems.[1] Ask Microsoft why they don't perform better code
audits to find the gaping holes in their software. But don't bother the
ISPs too much -- if they start blocking OS/WebServer specific yet
RFC-compliant traffic, their customers may not like the intrusion. (I
know I don't want my web traffic scanned to protect people who don't
patch their systems...)

<much more rant>
I am honestly surprised no one has filed a lawsuit against Microsoft for
all the lost billions I hear about every time a melissa or kournikova or
code red gets in the wild.
</much more rant>

Cheers.

[1] they put an awful lot of effort into copyprotection .. how about
'forced upgrade protection', that disables internet connections when
computers are unpatched for 14 days after release of a patch? Or how
about machines that automatically apply patches? Or email administrators
every time a patch is released?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Catalyst 3550 & BGP
    ... Or will you use a private AS number that all ISPs accept and overwrite. ... and will be delivering the clients 10mbps chunks. ... and broadcast that out to our upstream providers so ... Should we put in a router between our 3550 ...
    (comp.dcom.sys.cisco)
  • Re: Please leak Fedora 8
    ... There are already BT clients out there which bias the up/down rates on various factors. ... I tend to agree that the problem stems from trying to proxy everything. ... The only good way to work around this is to cache only specific releases - but that would require some amount of human work to decide what goes and what stays. ... The american ISPs take the cop-out way: they just declare a random limit for heavy users and cut off the account if it downloads too much. ...
    (Fedora)
  • Re: [Full-Disclosure] Proposal: how to notify owners of compromised PCs
    ... from my example.com address using any other party's server. ... In case of static IP?s ISPs might ... Unless we fix the clients, the benefit will not be there long term. ... but you will not see less malware. ...
    (Full-Disclosure)
  • Re: NLB on Win2k Pro possible?
    ... Win2KPro has a limit of ten connections so I don't ... You are wasting bandwidth using ICS with so many clients. ... NLB is not the best solution in this scenario, ... > connected to different ISPs respectively. ...
    (microsoft.public.win2000.networking)
  • Large ISP response to Code Red?
    ... Large ISP response to Code Red? ... next infection phase, I'm wondering what kind of action has been ... The report from CAIDA cited home users are a large part of the ... Have these ISPs confirmed they have taken action to prevent ...
    (Incidents)