[39803] in North American Network Operators' Group
Re: Good Job, White House!
daemon@ATHENA.MIT.EDU (Christopher A. Woodfield)
Tue Jul 24 11:54:19 2001
Date: Tue, 24 Jul 2001 11:54:11 -0400
To: "Rowland, Alan D" <alan_r1@corp.earthlink.net>
Cc: nanog@merit.org
Message-ID: <20010724115410.A14882@semihuman.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1BEE67ADF602D3119F9A0008C79174C70EC87088@PETRIFIED>
From: "Christopher A. Woodfield" <rekoil@semihuman.com>
Errors-To: owner-nanog-outgoing@merit.edu
Actually, what they did was disgustingly simple - it was observed that (1)
the IP address, not the hostname, of www1.whitehouse.gov was hardcoded
into the worm, and (2) the worm made a connection to port 80 on that IP
address to make sure the host was live before launching the DoS.
Given these two weaknesses, all that the whitehouse.gov admins had to do
was move the server to a different IP, and nullroute the old IP. The worm
tried to contact the old IP, couldn't open a socket, and quietly went
dormant.
I would expect that the next worm of this type will have neither of these
vulnerabilities.
-C
>
> I'm personally more pleased with the network operators that dealt with the
> problem. Thanks, Guys! I'm not exactly sure what the White House did.
>
--
---------------------------
Christopher A. Woodfield rekoil@semihuman.com
PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
