Security Incidents mailing list archives
Re: Flash Worms
From: Kevin Reardon <Kevin.Reardon () oracle com>
Date: Tue, 21 Aug 2001 12:51:07 -0700
Web Servers initiate outbound connections all the time in a B2B application. Such Application behavior is getting more commonplace all the time. Vulnerability is a matter of attack type. Any compromise should count as success, but that is a different matter. Speed of propagation is what Flash and Warhol is all about. How to slow down such types of worms is a tough nut to crack. Trending in Application behavior by a Firewall seems like a likely method. Comparing normal inbound request rate and outbound rate trends for a particular Application could trip an alert notifying the administrator that there may be a host that has been compromised. Perhaps it could be made faster by noting the IP packet rates rather then making the Firewall Application aware (whatever). However, that is only the aftermath. I don't think prevention is possible without knowing ahead of time the exploit. ---K Bruno Treguier wrote:
Stuart Staniford wrote:Agreed - we're only talking about saturation of the hosts that can actually be attacked from the Internet, are vulnerable to whatever exploit the worm has, are currently connected to the Internet, and have publically routable static Internet addresses. What we're arguing is that the worm can reach all of those hosts that it's going to reach in O(30secs) if it's small and uses the kind of strategies we discuss.Hello Stuart, Being vulnerable to a given exploit and having a public and routable IP address are of course 2 necessary conditions, but they are not sufficient: the infected host must be able, in his turn, to infect other machines, and this, as far as most services are concerned, can be prevented or at least limited by an efficient filtering policy: why, for example, would a web server be allowed to initiate an outbound connection (except in very special and rare cases) ? Ok, in the case of a mail server, this argument may be of a lesser importance, though, as most of them are inbound AND outbound. :-) Or maybe I simply misunderstood the term "vulnerable host", which may mean "host that can be infected and that can infect in his turn" ? Best regards, Bruno -- -- Service Hydrographique et Oceanographique de la Marine --- EPSHOM/INF -- 13, rue du Chatellier --- BP 30316 --- 29603 Brest Cedex, FRANCE -- Phone: +33 2 98 22 17 49 --- Email: Bruno.Treguier () shom fr ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Flash Worms Stuart Staniford (Aug 17)
- Re: Flash Worms Michal Zalewski (Aug 18)
- Re: Flash Worms Stuart Staniford (Aug 18)
- Re: Flash Worms Michal Zalewski (Aug 18)
- Re: Flash Worms jaywhy (Aug 18)
- Re: Flash Worms Dragos Ruiu (Aug 19)
- Re: Flash Worms Shoten (Aug 23)
- Re: Flash Worms Kevin Reardon (Aug 24)
- Re: Flash Worms Stuart Staniford (Aug 18)
- Re: Flash Worms Stuart Staniford (Aug 22)
- Re: Flash Worms Michal Zalewski (Aug 18)
- Re: Flash Worms Bruno Treguier (Aug 21)
- Re: Flash Worms Kevin Reardon (Aug 22)
- Re: Flash Worms Jose Nazario (Aug 19)
- Flash Worms and congestion Stuart Staniford (Aug 22)
- <Possible follow-ups>
- Re: Flash Worms Vern Paxson (Aug 22)