[39734] in North American Network Operators' Group
Re: Code Red on dial-in ppp
daemon@ATHENA.MIT.EDU (Chris Adams)
Sat Jul 21 14:09:37 2001
Date: Sat, 21 Jul 2001 13:09:06 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@merit.edu
Message-ID: <20010721130906.A15304@HiWAAY.net>
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0107210926250.22854-100000@shell3.ba.best.com>; from phyxis@rottweiler.org on Sat, Jul 21, 2001 at 09:28:08AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
Once upon a time, Jason A. Mills <phyxis@rottweiler.org> said:
> I'm not sure I see why a POTS PPP link, or some other slow(er) on demand
> link might stop CodeRed. The first-pass payload is under 4096 bytes
> including framing, not exactly something you need a lot of low-latency
> bandwidth to push through. :-/
I don't think the issue is bandwidth. The issue is that the reports
being sent out say such-and-such IP is infected without giving a time
stamp (I got one of the reports as well). Without the time of the
attack, the IP address is absolutely useless, as a hundred users may
have had that IP in the last couple of days.
In my case, out of two dozen hosts reported, all but two were dialup or
DSL IPs, making the report mostly worthless without times.
I don't mean to criticize, because obviously some folks put in a lot of
effort, and it is useful information (especially if you don't have
dialup hosts). Just in my case (at least), it wasn't much help.
Interesting to note that the one host from our IP space that hit one of
our servers was NOT in the report I received. We had over 21,000 hosts
try this on our (Unix/Apache) web servers. Is someone collecting logs
to generate reports?
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
