[Dshield] DCOM morning after

Shawn Cox shawn.cox at pcca.com
Tue Aug 12 19:58:18 GMT 2003

> Shawn Cox wrote:
> >   There is NO WAY to be fully protected at all times.  NONE,  ZERO,
> No, but we can at least prevent the obvious and stupid attacks like
> MSBlaster with a bit of care and diligence.

I disagree.   To stop this sort of attack takes only one thing: invulnerable
software and that doesn't nor will it ever exist.  As long as a percentage
of machines remain unpatched the threat exists.  Sure you can aleviate the
headaches, but 'prevent' is like asking a scientist to prove something.

My earlier statement stems from comments on this list regarding their
disbelief towards the nature and strength of this attack.  These folks in my
opinion have no idea what it's like to manage 600 workstations.  Trying to
determine which patches will break something and which are safe is trial and
error at best.  Take W2K sp4 as a recent example.

It doesn't take much analysis of this worm to tell that this was meant as a
"wake up" call.  I wouldn't be surprised to find out that the group who
released it wears a grey hat.  Both it's payload and attack vectors, as have
been pointed out by may, were inefficient and could have easily been much
more severe.

> Many of us are in the same boat (OK, maybe not with 40% of our network
> over VPN, but still...).  However, a properly configured VPN generally
> wouldn't let ports 135 and 4444 through to the internal network, and
> certainly wouldn't allow them over the public Internet.  Patches really
> don't have anything to do with it in this case, as others have pointed
> out -- a reasonable firewall configuration would have stopped this attack
> the border.

I didn't say that our corporate environment was compromised.  Indeed our VPN
does block the RPC ports back to home for the very reasons you mention.  But
we did have 10 of our customers who were sitting out on the Internet
unprotected, all businesses, without IT support and who wouldn't know a
firewall from a brick wall.  There is no solution to these attacks, don't be
so flabbergasted when they occur.

More information about the list mailing list