[39728] in North American Network Operators' Group
Re: Code Red on dial-in ppp
daemon@ATHENA.MIT.EDU (up@3.am)
Sat Jul 21 12:47:40 2001
Date: Sat, 21 Jul 2001 12:44:56 -0400 (EDT)
From: <up@3.am>
To: nanog@merit.edu
In-Reply-To: <Pine.SOL.3.91.1010721122859.2647u-100000@sunny.netside.net>
Message-ID: <Pine.BSF.4.10.10107211241240.72032-100000@richard2.pil.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 21 Jul 2001, Mitch Halmu wrote:
> On Sat, 21 Jul 2001, Jason A. Mills wrote:
>
> > I'm not sure I see why a POTS PPP link, or some other slow(er) on demand
> > link might stop CodeRed. The first-pass payload is under 4096 bytes
> > including framing, not exactly something you need a lot of low-latency
> > bandwidth to push through. :-/
>
> The problem I described is that the Windows machines in question are not
> necessarily dedicated web servers, but can be regular dial-in users.
> Normally, such users don't run a web server over dial-up, yet they seem
> to be vulnerable if the attack occurs while they're connected. No relation
> to the connection bandwidth was implied.
Have you port scanned said users? You might be suprised how many dialup
users are running httpd. And smtpd. And pop3d. And named. And,
of course, an IRC bot...all usually on their windoze machines, because,
like, they're really advanced users, see?
Hint: These are often the same users you have to nag about continuous
connections.
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
=========================================================================
