mailing list archives
Re: [Re: M$SQL cleanup incentives]
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Fri, 21 Feb 2003 09:56:57 +0100 (CET)
On Thu, 20 Feb 2003, Joshua Smith wrote:
Only if people didn't fix their servers. And if they didn't, this
"reverse" denial of service attack is a good reminder.
what was that one worm from a year or two ago that was eliminated from the
net, oh yeah, code red......if they didn't fix themselves the first round,
what makes you think they will fix it the second time, or the third...
Their link to the net is unusable if they're infected so not doing
anything is not an option.
If a box is going to be infected, we want it to happen immediately upon
installation. Friday night late is no fun... (Un)fortunately, the number
of worm packets still coming in is too low for this (about 1 per second
for a /19, so it takes a few hours on average for an IP address to be
hit.) Also unfortunate is the fact that the worm has shown it can bypass
many filters. It's not clear how exactly, but I guess it has something
to do with broadcasts or multicasts. So depending on a filter to protect
vulnerable boxes isn't an entirely safe approach, especially if there is
a lot of infrastructure between the filter and the box.
Maybe the best approach is to try and deliberately infect the entire
local net every few minutes or so to detect new vulnerable systems while
the people installing them are still on the premises.