nanog mailing list archives
RE: Worms versus Bots
From: "Michel Py" <michel () arneill-py sacramento ca us>
Date: Mon, 3 May 2004 20:53:50 -0700
William wrote: but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it
It can happen in 5 or 10 minutes (I've seen it) but only if all of the following conditions are met simultaneously: a) administrator's password blank (or something _really_ easy to guess) b) public IP (no NAT) c) no firewall In other words: if one is stupid, one gets worm'ed or bot'ed.
(Note: I also disable IIS just in case until everything is patched..).
Not a bad idea, but sometimes you don't have the choice of doing it (with scripted installs or things like SBS). Besides, IIS is not the main source of trouble on a machine that sits on the Internet unprotected. I consider disabling IIS a second or third line of defense, to be used after you implemented the steps not to get screwed in the first place (which you described).
Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed.
Me too.
Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer.
Indeed. I have a $10 one that I use for installations (even when I install from a "trusted" environment), because the danger does not come only from the Internet, it can also come from your own LAN. By putting the machine being installed alone on its own segment behind a NAT box, you also shield yourself from crud that could be on the trusted network.
On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus.
Difficult to measure, and here's why: recent worms are polymorphic and propagate/replicate using many different mechanisms. How do you make the difference between a) a worm that arrived trough email and then contaminated x machines on your LAN and b) a worm that arrived through a vulnerability of IIS and then contaminated x machines on your LAN? The trouble here is that if you had all the time in the world _and_ if you did not have x users screaming, you could look at logs and such and finally figure out which of the egg or the chicken was first. In a real world, you clean the mess and when you are done you have to catch up with all the stuff you did not do while cleaning, and you never know. Michel.
Current thread:
- Re: Worms versus Bots, (continued)
- Re: Worms versus Bots Rob Thomas (May 03)
- Re: Worms versus Bots Sean Donelan (May 03)
- Re: Worms versus Bots william(at)elan.net (May 03)
- How long before infected - Internet addresses are not uniform Sean Donelan (May 03)
- Re: How long before infected - Internet addresses are not uniform Marshall Eubanks (May 04)
- Re: Worms versus Bots Stephen J. Wilcox (May 04)
- Re: Worms versus Bots Rob Thomas (May 03)
- Re: FW: Worms versus Bots Henry Linneweh (May 04)
- RE: Worms versus Bots Edward B. Dreger (May 04)
- RE: Worms versus Bots William S. Duncanson (May 04)
- Re: Worms versus Bots Valdis . Kletnieks (May 04)
- Re: Worms versus Bots chuck goolsbee (May 04)
- Re: Worms versus Bots Laurence F. Sheldon, Jr. (May 04)
- Re: Worms versus Bots Steven M. Bellovin (May 04)
- Re: Worms versus Bots Laurence F. Sheldon, Jr. (May 04)
- Re: Worms versus Bots chuck goolsbee (May 04)
- Re: Worms versus Bots Paul Jakma (May 05)
- Re: Worms versus Bots Matthew Crocker (May 05)