Firewall Wizards mailing list archives
Re: NIMDA, how to stop it
From: "Robin S. Socha" <robin-dated-1010453951.80d13d () socha net>
Date: Fri, 04 Jan 2002 21:01:18 -0500
begin R_DuFresne.exe <dufresne () sysinfo com> writes:
On Fri, 4 Jan 2002, Alan Young wrote:
speaking of NIMDA, as a general recommendation, what would you all recommend as an effecive firewall setup to stop NIMDA? Can I stop NIMDA with just a PIX? Or do I need some sort of other "virus firewall" in addition to our PIX?
R., you are focussing one one problem. That's not a viable solution. DoS attacks launched by, spread through, and propagated with broken software is nothing you can do away with by using additional software. The proper solution to fix broken things is to fix them. If your car manufacturer delivered your car with broken brakes - would you put an air balloon on your bumper? No? Then why are you advoating virus scanners? [...]
The best way to defend against this nasty code, in our mind is:
educating users about e-mail and teaching them to not just point and click on mails they are not sure of origination and contain attachments.
Your point is moot. Microsoft Outlook has executed code upon viewing messages. Null argument.
anti-virus software not just on the servers, but each desktop also, keeping the virus signatures on the servers and desktops is a must.
No virus scanner has ever prohibited the spreading of a fast virus. None. Just as you don't get a little pregnant you don't rely on broken software (virus scanners are broken because they cannot find viruses they don't know).
Patching IIS servers to prevent their infection, the patches had been available before this or code red and it's variants had been released, few folks took the patches seriously and thus the quick spread of these nasties as well as the vast number of machines that remain infected to this day.
I can't find the URL right now but there recently was an interesting article somewhere on one of the major security websites about how it's impossible for the average user to install them. Also, Microsoft - being a marketing shop, not a software manufacturer, because you don't make money trying to legitimately sell broken software - is not very good at handling what they refer to as issues: blatant displays of utter, total, embarrassing inabilities to code even the simplest programs without major security exploits. The point is: as long as there are Microsoft products on the net, they can and will be used as attack tools against other machines. You're trying to describe helpless attempts to fix broken software - if you are honest enough to put it this way, that's fine. Your "solution" is not, however, a solution. Solved problems cease to exist.
Of course, folks not using windows related products are less likely to face difficulties with these nasties, though others infected throughout the net can affect your companies bandwidth when such viri/worms are unleashed and start to spread as quickly as such code these days does...
I'm sitting on a lot of bandwidth. I also run OpenBSD mailservers with qmail. I felt all of the recent Microsoft viruses. "Admins" running MSIS and Exchange are potential enemies. Managements employing these attack tools are potential enemies. It's time people like you woke up, got a clue and told the truth: you're not running Microsoft products because they are superiorer (anyone got any advantages of Win2k/MSIS over $UNIX/$UNIX_WEBSERVER?) but for other reasons.
Being this worm has a diverse number of attack vectors, some comprising oten open ports via smtp and http, it has been extremely difficult to deal with via simple firewalling concepts. Proxies can help ome, but, not completely...
You are confused. My mailservers are tarpitted. My webservers have bandwidth limitations. Tarpitting has proven a good approach agains Microsoft email viruses. Forcing people like Alan into not using the attack tools would be even better, though.
Of course, others might have additional or better info, so, I could well stand corrected, and would appreciate any corrrections.
There is nothing to correct. You approach is completely wrong because you're focussing on defending broken software with broken software. A viable strategy is to eliminate the broken software, though. BTW, for the fun of it do: find pine4.05 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l and make sure to have a barf bag at hand. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Morris worm to Nimda, how little we've learned o r gained Behm, Jeffrey L. (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned o r gained Jon O . (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)
- Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Christopher Lee (Jan 05)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
- Re: NIMDA, how to stop it Ryan Russell (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Ryan Russell (Jan 06)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
- Re: NIMDA, how to stop it Ryan Russell (Jan 07)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)