Re: Large ISP response to Code Red?

[Seth Arnold <sarnold () wirex com>]

On Mon, Jul 30, 2001 at 05:21:09PM -0700, Jon O . wrote:
> As we all have seen the call to action regarding Code Red and the
> next infection phase, I'm wondering what kind of action has been
> taken by the large ISPs to deal with this issue?

I can't speak for the ISPs, but my guess is: very little. The attack
looks like a standard web request without filtering the packets
in-depth, which is both expensive and likely more intrusive than most
customers would like.

Consider also: changing one byte could make the thing impotent. Changing
several bytes could make it much more viralant. (Note the two strains.)
Changing many bytes could make its eventual DDoS attack much more
powerful (e.g., perform a DNS lookup on www.whitehouse.gov this time
around to get any attempts at nullrouting the single IP).

When does one say, "oh, this is safe data for my clients" or "hey, this
isn't safe for my clients"?

> Have these ISPs confirmed they have taken action to prevent 
> an even worse reinfection phase than the first time and if not
> why?

All they can really do is educate their users. I'd hope everyone has
heard of the problem by now. I further hope people head to Microsoft's
site to download all the service packs and hotfixes and patches. Yes, it
will take a long time, but I think everyone will tend to agree it is
worth the time spent upgrading.

> This is a real case of either being part of the problem or part
> of the solution and I believe these ISPs should be accountable for
> their own bandwidth.

They are. They pay for their peering agreements with other ISPs, so it
makes sense for them to try to educate their users to the best of their
abilities -- otherwise, they wind up paying for more bandwidth used by
their clients, which ends up charging the clients more.

I think picking on the ISPs is the wrong approach. Ask Microsoft why it
took over a month before their patches were applied to nearly half a
million systems.[1] Ask Microsoft why they don't perform better code
audits to find the gaping holes in their software. But don't bother the
ISPs too much -- if they start blocking OS/WebServer specific yet
RFC-compliant traffic, their customers may not like the intrusion. (I
know I don't want my web traffic scanned to protect people who don't
patch their systems...) 

<much more rant>
I am honestly surprised no one has filed a lawsuit against Microsoft for
all the lost billions I hear about every time a melissa or kournikova or
code red gets in the wild.
</much more rant>

Cheers.


[1] they put an awful lot of effort into copyprotection .. how about
'forced upgrade protection', that disables internet connections when
computers are unpatched for 14 days after release of a patch? Or how
about machines that automatically apply patches? Or email administrators
every time a patch is released? 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com