Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

From: Gert-Jan Hagenaars (blender@hagenaars.com)
Date: 09/07/01 

Date: Thu, 6 Sep 2001 23:49:27 -0400
From: Gert-Jan Hagenaars <blender@hagenaars.com>
To: vuln-dev@securityfocus.com
Subject: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
Message-ID: <20010906234926.A32280@hagenaars.com>

Apparently, Stanley G. Bubrouski wrote:
% On Thu, 6 Sep 2001, Emre Yildirim wrote:
%
% It may sound unreasonable but using access-lists on routers on routers is
% great way for companies and providers to stop the spread of Code Red. By
% blockign all traffic from a person's machine they are then forced to call
% their provider's tech support to report they lost their connection. The
% provider then can inform the customer they are infected, explain to them
% they must patch their system, remove them from the ACLs, wait 24 hours and
% if they show signs they are patched then do not reapply the ACL.

This doesn't work on machines that connect via DHCP.

The whole notion of using manhours to combat a DOS attack is an out of
date idea. Besides, you're turning the problem into a problem for
the ISPs. Which (essentially) means that you're turning the ISPs into
internet-cops.

I see four distinct problems with this approach: on one server we got
about 1200 distinct hits of code-red in 24 hours.

(first problem) How many thousands of emails do I have to send in a
week to get through to the ISPs, and

(second problem) who's going to handle all these requests in a timely
manner and

(third problem) judge the validity of my claims? And,

(fourth problem) who's going to pick up the bill for calling all these
customers?

Consider the cost of a support call when a customer calls an ISP (CDN
7 about four years ago (when I worked for an ISP), very likely higher
now), and that's when you don't have to spend time finding out which
number to call, nor having to find the right person at the other end of
the phone ("my son always takes care of this stuff, but I can't get to
yahoo and i'm paying you guys for my internet connection!")

If your proposed approach worked, we wouldn't have any SPAM either.
And that's an area where (most) ISPs _want_ to battle this.

I think a passive inoculation (worm) that doesn't seek out victims, but
only counters infected systems (where the admins (if they exist) don't
care) is a far better approach. It's certainly more cost effective,
definitely quicker and obviously less prone to error.

So... where's the linux version?

CHeers,
Gert-Jan. 

-- 
+++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++
sed '/^[when][coders]/!d         G.J.W. Hagenaars -- gj at hagenaars dot com
    /^...[discover].$/d          Remembering Mike Carty 1968-1994
   /^..[real].[code]$/!d         UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
' /usr/dict/words                I'm Dutch, what's _your_ excuse?

Relevant Pages

  • Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
    ... > % great way for companies and providers to stop the spread of Code Red. ... > % provider then can inform the customer they are infected, ... Which means that you're turning the ISPs into ... > care) is a far better approach. ...
    (Vuln-Dev)
  • Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
    ... > % great way for companies and providers to stop the spread of Code Red. ... Which means that you're turning the ISPs into ... If an ISPs customer is causing traffic and infecting otehr customers what ...
    (Vuln-Dev)
  • [fw-wiz] The home user problem returns
    ... Most ISPs around here now advertise bit caps, ... If the same customer shows up on ... "leper colony" (kudos to whomever coined that term. ...
    (Firewall-Wizards)
  • Re: OT: Political Spam - what can you do about it?
    ... > quite the political spinmeister. ... ISPs have the unconditional right to author their AUP which is subject ... your customer has is to take his business elsewhere. ... The law defines what is prosecutable as spam. ...
    (Fedora)
  • Re: Penalising downloaders
    ... to remove access without giving their customer plenty of chances, ... I'm sure ISPs ... letter would be enough to cause a customer to switch. ... and no amount of window dressing and laws and ...
    (uk.legal)
Quantcast