nanog mailing list archives

Re: Code Red on dial-in ppp

From: <up () 3 am>
Date: Sat, 21 Jul 2001 12:44:56 -0400 (EDT)


On Sat, 21 Jul 2001, Mitch Halmu wrote:

On Sat, 21 Jul 2001, Jason A. Mills wrote:

I'm not sure I see why a POTS PPP link, or some other slow(er) on demand
link might stop CodeRed. The first-pass payload is under 4096 bytes
including framing, not exactly something you need a lot of low-latency
bandwidth to push through. :-/


The problem I described is that the Windows machines in question are not 
necessarily dedicated web servers, but can be regular dial-in users. 
Normally, such users don't run a web server over dial-up, yet they seem
to be vulnerable if the attack occurs while they're connected. No relation 
to the connection bandwidth was implied.


Have you port scanned said users?  You might be suprised how many dialup
users are running httpd.  And smtpd.  And pop3d.  And named.  And,
of course, an IRC bot...all usually on their windoze machines, because,
like, they're really advanced users, see?

Hint:  These are often the same users you have to nag about continuous
connections.

James Smallacombe                     PlantageNet, Inc. CEO and Janitor
up () 3 am                                                          http://3.am
=========================================================================

Current thread:

Code Red on dial-in ppp Mitch Halmu (Jul 21)
- Re: Code Red on dial-in ppp Jason A. Mills (Jul 21)
  - Re: Code Red on dial-in ppp Mitch Halmu (Jul 21)
    - Re: Code Red on dial-in ppp up (Jul 21)
    - Re: Code Red on dial-in ppp Damon M. Conway (Jul 21)
  - Re: Code Red on dial-in ppp Chris Adams (Jul 21)
    - Re: Code Red on dial-in ppp John Kristoff (Jul 21)
    - Re: Code Red on dial-in ppp Keith Woodworth (Jul 21)
- Code Red seemingly on firewall (Re: Code Red on dial-in ppp) E.B. Dreger (Jul 21)