[Dshield] Re: fighting back against CodeRed
blilly at erols.com
Wed Aug 8 19:59:25 GMT 2001
Here's my $0.02 worth:
1. A third party infiltrating the attacker is wrong, and two wrongs
don't make a right.
2. Trying to contact the attacker's administrator may fail even if the
system owner isn't a hacker: in the case of dialup or broadband
connections, the NIC records are likely to point to the ISP's
contact information. While as noted on this list, some ISPs have
taken the initiative of informing their customers, other ISPs may
not be so inclined. Note that professionally managed systems have
have probably already been patched, and most of the remaining
infected systems are probably home machines. There are other
issues with the email approach: some have suggested emailing
abuse at domain -- while standardized names for administrative
mailboxes are recommended by RFC 2142, that is only a
recommendation; one which is infrequently adhered to. The only
mailbox that is supposed to be universally valid is "postmaster"
(it's in the Host Requirements RFC, 1123, section 5.2.7); the reality
is that there are many misconfigured system that either do not
support "postmaster" or have other problems (e.g. returning a
ludicrous "relaying not permitted" error) with it. (Guess whose
software seems to be worst in that regard). And systems which have
not been patched for a widely known issue are not likely to be so
well administered that they adhere to the Host Requirements.
3. The problem is Microsoft's responsibility to deal with, as they are
responsible for the gaping security hole in their buggy IIS software.
Sending out a copy of the joint notice a week after CERT and SANS
sent out their copies, and only to the tiny fraction of Microsoft's
customers that have signed up for their security mailings is woefully
inadequate. Microsoft is about the only entity that could
legitimately set up one or more servers that would use some
mechanism to patch infected systems that contact those servers.
It would probably suffice to announce in advance that a
patching service would be installed for the convenience of any
customer who wants an automatic update, and that the update will be
installed if the user or his machine contacts a Microsoft server
using a certain type of default.ida request. This is a slight
extension of MS' Windows Update, which installs upgrades downloaded
from MS servers. Whether or not MS could implement such a system
that would actually work and would not install more bugs than
it fixes is another matter.
More information about the list