Re: Flash Worms

From: Bruno Treguier (Bruno.Treguier@shom.fr)
Date: 08/21/01 

Message-Id: <200108211608.f7LG84900962@shom.fr>
To: Stuart Staniford <stuart@silicondefense.com>
Subject: Re: Flash Worms 
From: Bruno Treguier <Bruno.Treguier@shom.fr>
Date: Tue, 21 Aug 2001 18:08:03 +0200

Stuart Staniford wrote:

> Agreed - we're only talking about saturation of the hosts that can actually
> be attacked from the Internet, are vulnerable to whatever exploit the worm
> has, are currently connected to the Internet, and have publically routable
> static Internet addresses. What we're arguing is that the worm can reach
> all of those hosts that it's going to reach in O(30secs) if it's small and
> uses the kind of strategies we discuss.

Hello Stuart,

Being vulnerable to a given exploit and having a public and routable IP
address are of course 2 necessary conditions, but they are not sufficient:
the infected host must be able, in his turn, to infect other machines, and
this, as far as most services are concerned, can be prevented or at least
limited by an efficient filtering policy: why, for example, would a web server
be allowed to initiate an outbound connection (except in very special and rare
cases) ?
Ok, in the case of a mail server, this argument may be of a lesser importance,
though, as most of them are inbound AND outbound. :-)

Or maybe I simply misunderstood the term "vulnerable host", which may mean
"host that can be infected and that can infect in his turn" ?

Best regards,

Bruno 

-- 
--   Service Hydrographique et Oceanographique de la Marine ---  EPSHOM/INF
--     13, rue du Chatellier ---  BP 30316  --- 29603 Brest Cedex, FRANCE
--        Phone: +33 2 98 22 17 49  ---  Email: Bruno.Treguier@shom.fr

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages