Security Incidents mailing list archives

Re: Flash Worms

From: Kevin Reardon <Kevin.Reardon () oracle com>
Date: Tue, 21 Aug 2001 12:51:07 -0700

Web Servers initiate outbound connections all the time in a B2B application.  Such
Application behavior is getting more commonplace all the time.

Vulnerability is a matter of attack type.  Any compromise should count as success,
but that is a different matter.  Speed of propagation is what Flash and Warhol is
all about.  How to slow down such types of worms is a tough nut to crack.

Trending in Application behavior by a Firewall seems like a likely method.
Comparing normal inbound request rate and outbound rate trends for a particular
Application could trip an alert notifying the administrator that there may be a
host that has been compromised.  Perhaps it could be made faster by noting the IP
packet rates rather then making the Firewall Application aware (whatever).
However, that is only the aftermath.  I don't think prevention is possible without
knowing ahead of time the exploit.


---K

Bruno Treguier wrote:

Stuart Staniford wrote:

Agreed - we're only talking about saturation of the hosts that can actually
be attacked from the Internet, are vulnerable to whatever exploit the worm
has, are currently connected to the Internet, and have publically routable
static Internet addresses.  What we're arguing is that the worm can reach
all of those hosts that it's going to reach in O(30secs) if it's small and
uses the kind of strategies we discuss.


Hello Stuart,

Being vulnerable to a given exploit and having a public and routable IP
address are of course 2 necessary conditions, but they are not sufficient:
the infected host must be able, in his turn, to infect other machines, and
this, as far as most services are concerned, can be prevented or at least
limited by an efficient filtering policy: why, for example, would a web server
be allowed to initiate an outbound connection (except in very special and rare
cases) ?
Ok, in the case of a mail server, this argument may be of a lesser importance,
though, as most of them are inbound AND outbound. :-)

Or maybe I simply misunderstood the term "vulnerable host", which may mean
"host that can be infected and that can infect in his turn" ?

Best regards,

Bruno

--
--   Service Hydrographique et Oceanographique de la Marine ---  EPSHOM/INF
--     13, rue du Chatellier ---  BP 30316  --- 29603 Brest Cedex, FRANCE
--        Phone: +33 2 98 22 17 49  ---  Email: Bruno.Treguier () shom fr

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Flash Worms Stuart Staniford (Aug 17)
- Re: Flash Worms Michal Zalewski (Aug 18)
  - Re: Flash Worms Stuart Staniford (Aug 18)
    - Re: Flash Worms Michal Zalewski (Aug 18)
    - Re: Flash Worms jaywhy (Aug 18)
    - Re: Flash Worms Dragos Ruiu (Aug 19)
    - Re: Flash Worms Shoten (Aug 23)
    - Re: Flash Worms Kevin Reardon (Aug 24)
    - Re: Flash Worms Stuart Staniford (Aug 22)
    - Re: Flash Worms Bruno Treguier (Aug 21)
    - Re: Flash Worms Kevin Reardon (Aug 22)
  - Re: Flash Worms Robert Graham (Aug 18)
    - Re: Flash Worms Jose Nazario (Aug 19)
    - Flash Worms and congestion Stuart Staniford (Aug 22)
- <Possible follow-ups>
- Re: Flash Worms Vern Paxson (Aug 22)