PDA

View Full Version : code red 2/3



07-08-2001, 11:15 AM
just a little something i picked up off www.grc.com this morning-

'It's somewhat surprising that nobody has yet used the Code Red fiasco
as an analogy. Granted that the 3 'strains' seen so far have not as
yet caused any widespread disruption of the Internet. However, as has
been discussed elsewhere, a new 'strain' modified in the correct
fashion could conceivably bring about mayhem.

This worm is spreading because of laziness, ineptitude and lack of
discipline. It should never have happened, the people responsible for
the continued spread of Code Red are largely the people that are paid
to administer their systems in such a manner that this kind of thing
never gets to happen. These people are in a profession that should put
them way above the much maligned home user.

There has been enough publicity about CR and the patches and warnings
have been around for weeks, so how come it's happening? How come
corporate servers are left unpatched? how come servers maintained by
trained and supposedly proficient people are crassly and
embarrassingly open to infection and propagation?


As I sit and watch the incredible number of probes to port 80, very
few of which are down to home users, I cannot help but wonder at the
irony regarding clueless 'home users'. The 'professionals' would
appear to not be so hot at securing their systems themselves, and
they are supposed to lead by example.

If they can't even apply simple patches against a threat that is
advertised weeks in advance, what hope is there of convincing poor old
'Joe Public' that he or she should take security seriously?'

This is a message from the webmaster of a local @Home users group. His
observations about the use of illegal servers on @Home accounts is
telling; I would not have espected that to be so prevalent:

Aug 3rd - Why the site isnt there (or is it?)

I'm guessing that everyone with an @Home connection
thinks this website is down right
now.

Fortunately, they're only 1/2 correct. The site is
running, but traffic to it is being blocked
by the datacenter that houses the server.

Why?

Because right now, @Home users' unprotected illegal
servers are infected producing
enough traffic to saturate a pair of OC-3 fibers.

And because of this, the datacenter had no choice but to
block all traffic originating in
@Home or RoadRunner IP ranges. The traffic alone (since
their NT servers are
innoculated, and the Linux servers are not suceptible) is
enough to knock out a
datacenter if left unchecked...

I think this goes to show two things:

1) there's a lot of people running IIS in @home resential
accounts

and

2) there's a lot of people who are NOT running virus
scanners.

Right now, I'm bouncing through a secure forwarding
service to write this. Anyone who's
not on an @Home or Roadrunner network will be able the
get in fine.... but until traffic
dies to a manageable level, everyone else is SOL.
____________
Webmaster,
RBUA.ORG

07-08-2001, 12:39 PM
I like that grc.com site, reading about that DoS attack on his site was really interesting.