worm impersonating ms

Gerald Combs gerald at ethereal.com
Sat Sep 20 16:03:01 CDT 2003 

On Fri, 19 Sep 2003, Karl Schmidt wrote:

> 
> > harmless to linux, but somewhat of a problem out
> > there where the normal people grow.
> 
> Not exactly harmless to Linux - I talked to my Colos ISP's Netops guy 
> today. He basicly said that if the ping atttacks were on port 80 the 
> much of the Internet would be down.  They are blocking Ping most of the 
> time and says he has so many customeres infected that he has no choice.
> 
> Seems like they need to lock out accounts that are infected via 
> automated scripts?

How about blocking the automated scripts in the first place, e.g. by
blocking MSRPC, MSSQL, and other shouldn't-be-routed-across-the-Internet
ports?

BTW, how do you differentiate between an infected, scanning host and
someone legitimately running an Nmap or Nessus scan?

> Dealing with the viruses is now taking up 99% of their time.

Part of the problem is that DSL and cable providers are trying to cut
costs by using simple bridging devices instead of firewalls on the
customer end.  This creates a huge pool of easily-infected devices which
collectively have an enormous amount of bandwidth at their disposal.

I helped a rural telco roll out DSL several years ago.  They took me up on
my recommendation to use DSL modems with built-in firewalls.  They're now
happy about this decision -- they barely noticed the Blaster and Welchia
worms.

> The Internet is at risk of losing the ability to do useful trancroutes 
> as of now.

You can still do useful traceroutes, it's just that the standard
traceroute tools are becoming less useful.  Most Unix/Linux traceroute
utilities are derived from the LBL sources (ftp.ee.lbl.gov), and support
only UDP and ICMP probes.  Windows' "tracert" only supports ICMP.  This is
often not so useful in heavily restricted environments such as corporate
networks (and now many ISP networks).  

A tool called tcptraceroute uses TCP probes, so tracing the route to a web
server using "tcptraceroute www.somehost.com 80" would get past any
network ACLs or firewall rules in place.  Tcptraceroute lives at

    http://michael.toren.net/code/tcptraceroute/

RPMs exist for various distributions, and it's in the Gentoo portage tree.

More information about the Kclug mailing list