[40045] in North American Network Operators' Group
Re: Code Red round two
daemon@ATHENA.MIT.EDU (Jeff Ogden)
Tue Jul 31 14:18:43 2001
Mime-Version: 1.0
Message-Id: <v04210107b78ca1c96c0e@[198.108.90.150]>
In-Reply-To: <5.1.0.14.2.20010731095641.04a86698@mail.ntrnet.net>
Date: Tue, 31 Jul 2001 14:17:10 -0400
To: nanog@merit.edu
From: Jeff Ogden <jogden@merit.edu>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
Errors-To: owner-nanog-outgoing@merit.edu
At 10:00 AM -0400 7/31/01, Dave Stewart wrote:
>At 09:49 AM 7/31/2001, Jeff Ogden wrote:
>>So what, if anything, are people planning to do differently as 8 pm=20
>>EDT today and the possibility of a new round of Code Red Worm=20
>>activity approaches? Are there things that we as network operators=20
>>can and should be doing beyond encouraging end users to patch their=20
>>vulnerable systems?
>
>You can scan your network(s) for machines that are vulnerable, and=20
>patch them. Or contact the end users and require that they patch=20
>them.... if they aren't patched by 7:45pm or so, you can block port=20
>80 access to those machines until they are patched.
OK, but even if we get every one of the vulnerable systems on our own=20
and our customer's networks patched, we will still be subject to=20
probes from infected systems elsewhere. In the last go round ten or=20
eleven days ago it was the probes of unused IP addresses more than=20
infected systems on our network that seemed to cause problems. So=20
while we will continue to be good network citizens and work to get=20
systems on our network patched, we will continue to see problems as=20
long as there are "enough" unpatched systems out there to cause=20
problems. I suspect that that is weeks or even months in the future.
Attached is a long message that was sent out to Merit's customers=20
this morning talking about our plans. No need to read it if you=20
don't want to.
-Jeff
--------------------
>Date: Tue, 31 Jul 2001 01:55:24 -0400
>To: michnet-inform
>From: Jeff Ogden <jogden@merit.edu>
>Subject: Merit's Tuesday evening plans related to the Code Red Worm
>
>I am sure that most of us have seen enough announcements about the=20
>Code Red Worm by now to last a lifetime, but here is one more.
>
>I want to outline Merit's plans for the possible reemergence of the=20
>Code Red Worm starting more or less at midnight UTC/GMT on August=20
>1st (that is 8 pm EDT Tuesday evening here in the eastern U.S.). I=20
>say more or less because many systems don't have their clocks set=20
>exactly right or don't have their timezone set correctly, and so we=20
>could see some activity start earlier or later than the expected=20
>time by anything from a few minutes to as much as four or five hours.
>
>First let me say that we at Merit don't know and I don't think=20
>anyone else really knows what, if anything, is going to happen=20
>starting at 8 pm Tuesday evening. There are new variants of the worm=20
>and they may behave differently. There are of course several=20
>variants of the worm that we've seen already and so we do have some=20
>idea of what to expect from them. We hope, but don't really believe,=20
>that most vulnerable systems will have been patched over the last=20
>week or ten days and that this will minimize the extent of any=20
>future problems (see below for information on why this isn't likely=20
>to be the case and about problems that may occur even after the=20
>patches have been installed on all of your local systems).
>
>At least initially Merit does NOT plan to take any unusual steps to=20
>deal with the Code Red Worm on Tuesday evening. We are going to=20
>start out treating this as a host computer problem. Host computer=20
>problems are things that the people who are responsible for the=20
>individual computers need to deal with. We will have staff watching=20
>the network a bit more carefully than usual to spot and track signs=20
>of unusual activity or problems. We plan to work directly with some=20
>of the MichNet sites that were severely impacted by the Code Red=20
>Worm last time, both to help these sites if there are problems and=20
>to use the sites as something of an early warning indicator for what=20
>we might expect elsewhere. We will be tracking developments=20
>elsewhere including mailing lists and Web sites that have=20
>information about Code Red developments.
>
>Sites with MichNet attachments can and should report network=20
>problems to the Network Operations Center (NOC) by e-mail or by=20
>phone. We would like to help where we can. We may be able to provide=20
>assistance, but even if we can't help, reports will give us a better=20
>view of what is actually happening across MichNet.
>
>If it would be helpful, we can install packet filters similar to the=20
>ones we installed the last time around in routers that Merit=20
>manages. These filters block packets inbound to port 80 on host=20
>computers. This time we'd like to install these filters at the=20
>request of individual sites rather than taking this action on our=20
>own. If your site would like us to do this, contact the NOC. When=20
>you call please have a list of the IP addresses for any host=20
>computers that shouldn't be blocked. Of course many sites can and=20
>probably should take these steps themselves in the routers or=20
>firewalls that they manage.
>
>While we hope this won't be necessary, if we start to see serious=20
>widespread problems, we may have to switch as we did last time and=20
>treat this as a network rather than as a host computer problem. If=20
>need be, we will be able to call in additional staff to work on=20
>problems either Tuesday evening or Wednesday morning. If this=20
>becomes necessary, we will post announcements to the MichNet-Inform=20
>e-mail list and on the telephone recording that the NOC maintains.
>
>Estimates as of last Sunday are that at least 30% and perhaps as=20
>high as 80% of the 350,000 plus systems that were infected with the=20
>Code Red Worm a little more than a week ago have not yet been=20
>patched. No matter which end of the range you believe you still get=20
>big numbers. And no one knows how many vulnerable systems are out=20
>there that weren't infected the last time around, but which may be=20
>infected in the future. Estimates are that this is another large=20
>number.
>
>Systems that only access the Internet over a dial-up line may be=20
>infected or vulnerable. New systems right out of the box may be=20
>vulnerable. Systems that belong to people on vacation or at schools=20
>that are out for the summer, may be vulnerable when they are turned=20
>back on days, weeks, or months from now. It seems certain that we=20
>are all going to be working on the Code Red and related problems for=20
>quite some time to come.
>
>See
>
> http://worm-security-survey.caida.org/
>
>and
>
> http://www.caida.org/analysis/security/code-red/
>
>for details about the rate that patches are being installed and some=20
>very interesting analysis of the spread of the Code Red Worm ten=20
>days or so ago. If you don't have time to read all of this=20
>information, at least look at the conclusions=20
>(http://www.caida.org/analysis/security/code-red/#conclusions) which=20
>are sobering.
>
>Even if your organization manages to patch every single vulnerable=20
>system, your site may still see network performance problems due to=20
>probes of your systems from infected computers located elsewhere. It=20
>was side effects from these probes (ARP floods caused by large=20
>numbers of probes to unused IP addresses), rather than the infected=20
>systems themselves or the traffic from the probes, that seemed to=20
>cause most of the network performance problems that individual sites=20
>on MichNet experienced ten or eleven days ago.
>
>There are some things that individual sites can do to protect=20
>themselves beyond installing the patches in the vulnerable systems.=20
>Pay particular attention to comments about ingress and egress=20
>filtering in the section on "Good Practices" in the CERT's=20
>announcement (http://www.cert.org/advisories/CA-2001-23.html). Sites=20
>with large amounts of unused IP addresses space seem to be more=20
>vulnerable than other sites and so using filters in routers or=20
>firewalls to block access to ranges of unused IP address may be=20
>useful. Individual sites are in a much better position than Merit to=20
>install all of these types of filters.
>
>Finally, there is a very real concern that with so much attention=20
>focused on the Code Red Worm and installing the patches from=20
>Microsoft, that we may be missing other security problems, assuming=20
>that problems are due to Code Red when in fact they are not, or not=20
>installing other patches and security fixes for other equally=20
>important problems in a timely fashion. We all need to keep in mind=20
>that the real problem here isn't the Code Red Worm, but inadequately=20
>maintained systems. We all need to put procedures in place to ensure=20
>that security patches and other fixes are installed in an on-going=20
>and timely fashion in the future.
>
>Here is the list of some of the URLs related to the Code Red Worm=20
>that people may find useful or interesting:
>
> http://www.digitalisland.net/codered/ (includes step by step instruction=
s,
> slides, and audio from a 30 minute lecture on Code Red)
>
> http://www.cert.org/
> http://www.cert.org/archive/html/coderedannounce.html
> http://www.cert.org/advisories/CA-2001-23.html
> http://www.cert.org/advisories/CA-2001-20.html
> http://www.cert.org/tech_tips/home_networks.html
>
> http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
>
> http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
>
> http://www.caida.org/
> http://worm-security-survey.caida.org/
> http://www.caida.org/analysis/security/code-red/
>
> http://www.securityfocus.com/
> http://www.securityfocus.com/bugtraq/archive
> http://www.securityfocus.com/templates/column.html?id=3D13
>http://www.securityfocus.com/templates/archive.pike?list=3D1&start=3D2001=
=20
>-07-15&fromthread=3D0&threads=3D0&mid=3D197828&end=3D2001-07-21&
>
> http://www.net-security.org/text/articles/coverage/code-red/ (very
> comprehensive collection of materials)
>
> http://www.umich.edu/~virus-busters/bady.html
>
> http://www.eeye.com/ (the folks that identified the vulnerability
> originally back in June)
> http://www.eeye.com/html/Research/Advisories/
> http://www.eeye.com/html/Research/Tools/codered.html
>
> http://www.nipc.gov/
> http://www.nipc.gov/warnings/alerts/2001/01-016.htm
>
> http://www.symantec.com/
> http://www.symantec.com/avcenter/venc/data/codered.worm.html
> http://www.symantec.com/press/2001/n010720a.html
>
> http://www.nai.com/
> http://www.mcafeeasap.com/asp_subscribe/trial_cc_wormscan.asp
>
> http://www.merit.edu/mail.archives/nanog/
>
>Hope this is useful. Sorry there are so many of these messages and=20
>some are so long.
>
> -Jeff Ogden
> Merit
