Interesting People mailing list archives
-- more on -- so what will we do to avoid another mass attack on the "net"
From: Dave Farber <dave () farber net>
Date: Sun, 24 Aug 2003 03:39:19 -0400
Date: Sat, 23 Aug 2003 18:38:49 -0700 From: Todd Meister <todd () lmi net> Subject: Re: [IP] so what will we do to avoid another mass attack on the "net" Sender: drtboi () bitslinger net To: dave () farber net Dave Farber writes: >...just what will we do to avoid the chaos that the >next one and the next next one will generate. I haven't seen an instance of the worm in my mailbox since Thursday. I am anadmin at a small ISP, and though the other admin and I share approximately thesame level of skills, they don't match up exactly. For instance, I am muchmore comfortable reaching into the guts of our sendmail system and rearrangingthings in our config files. I mention this because I was out on vacation when all this started, and didn't really get back to work until Thursday morning. When I got back, I had hundreds of copies of the worm sitting in my mailbox.Thursday morning, our mail servers started choking under the strain of all theworms coming through, as they had choked the previous two days, only worse.The worm started causing secondary outages (pop3, for instance), and the numberof processes on our mail servers (which also perform other tasks) was coming dangerously close to crashing them. In desperation, as the other admin grepped and destroyed worms within the mail queue, I added a very simple rule to our sendmail config file, one suggested by a member of the spam-l list. The rule simply doesn't allow mail clients who connect with a single token EHLO/HELO to send mail. Because of the way most windows mail clients work, we couldn't use this on our outgoing, customer-use SMTP servers, but we use it on all our MX and customer MX boxes. Only a very small portion of actual mail servers in use on the internet are broken to the point that they send single token EHLO/HELOs, but this one rule completely stopped the Sobig flood. We spent the rest of the day draining the backup mail queue until our serversoverloaded again, stopping sendmail, then starting over. Several hours later,things were back to just slightly busier than normal. Slightly busier because our mail server was busily rejecting Sobig connection attempts. Right now, we're blocking about 20-30% of all incoming messages through this ruleset. Of course, some of these are from poorly-written spam bulkmailers, too, but like I said, I haven't seen a single worm in my inbox since I implemented this rule on Thursday, and I was getting well over 100/day the previous two days. Obviously, this is a temporary fix. Sobig could be very easily rewritten to give a proper HELO. And blocking bad HELOs is considered poor conduct, sinceso many old, misconfigured, or windows-based mail clients use them. But maybeif the larger, less standards-interested software companies would start to work at playing better with the rest of the internet, and adhering to the standards developed by those older and wiser, these minor internet catastrophies could be avoided. I mean, from what I understand, part of the way this worm was able to spread so quickly was Microsoft's distaste for following best practices in regards to email attachments. And if these companies continue to think with their marketing departments,perhaps all those affected by them need to take at least temporary action, suchas our solution to the worm, or perhaps defanging all incoming attachments. -Todd
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- -- more on -- so what will we do to avoid another mass attack on the "net" Dave Farber (Aug 24)
- <Possible follow-ups>
- -- more on -- so what will we do to avoid another mass attack on the "net" Dave Farber (Aug 25)