Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

[Gert-Jan Hagenaars <blender () hagenaars com>]

Apparently, Stanley G. Bubrouski wrote:
% On Thu, 6 Sep 2001, Emre Yildirim wrote:
% 
% It may sound unreasonable but using access-lists on routers on routers is
% great way for companies and providers to stop the spread of Code Red.  By
% blockign all traffic from a person's machine they are then forced to call
% their provider's tech support to report they lost their connection.  The
% provider then can inform the customer they are infected, explain to them
% they must patch their system, remove them from the ACLs, wait 24 hours and
% if they show signs they are patched then do not reapply the ACL.

This doesn't work on machines that connect via DHCP.

The whole notion of using manhours to combat a DOS attack is an out of
date idea.  Besides, you're turning the problem into a problem for
the ISPs.  Which (essentially) means that you're turning the ISPs into
internet-cops.

I see four distinct problems with this approach:  on one server we got
about 1200 distinct hits of code-red in 24 hours.

(first problem) How many thousands of emails do I have to send in a
week to get through to the ISPs, and

(second problem) who's going to handle all these requests in a timely
manner and

(third problem) judge the validity of my claims?  And,

(fourth problem) who's going to pick up the bill for calling all these
customers?

Consider the cost of a support call when a customer calls an ISP (CDN
7 about four years ago (when I worked for an ISP), very likely higher
now), and that's when you don't have to spend time finding out which
number to call, nor having to find the right person at the other end of
the phone ("my son always takes care of this stuff, but I can't get to
yahoo and i'm paying you guys for my internet connection!")

If your proposed approach worked, we wouldn't have any SPAM either.
And that's an area where (most) ISPs _want_ to battle this.

I think a passive inoculation (worm) that doesn't seek out victims, but
only counters infected systems (where the admins (if they exist) don't
care) is a far better approach.  It's certainly more cost effective,
definitely quicker and obviously less prone to error.

So... where's the linux version?

CHeers,
Gert-Jan.

-- 
+++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++
sed '/^[when][coders]/!d         G.J.W. Hagenaars -- gj at hagenaars dot com
    /^...[discover].$/d          Remembering Mike Carty 1968-1994
   /^..[real].[code]$/!d         UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
' /usr/dict/words                I'm Dutch, what's _your_ excuse?