[59814] in North American Network Operators' Group
Re: Cisco vulnerability and dangerous filtering techniques
daemon@ATHENA.MIT.EDU (Chris Lewis)
Tue Jul 22 11:42:12 2003
Date: Tue, 22 Jul 2003 11:44:55 -0400
From: "Chris Lewis" <clewis@nortelnetworks.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Austad, Jay wrote:
> I was thinking about this the other day. The most efficient way to make
> this work would be to spread using some vulnerability (like the Microsoft
> DCOM vulnerability released last week), and then at a predetermined time,
> start DoS'ing routers in the IP space of major providers, and then work your
> way towards the "edges." You can pretty much safely assume that most of
> your infected machines are going to basically be on the edges of the
> internet, so if you start with major providers, you won't kill all of your
> connectivity. Even more destructive would be p2p built into it, so all of
> the infected hosts could coordinate before the attack on what networks each
> one would handle.
Imagine generalizing that to phases - build a virus that uses several
different modes of propagation to different platforms - virulent, but
not too violent (ie: not like SQL slammer), then phase it to DOS various
services, including the routers.
You might come in one morning to find your entire network infested with
a multi-phasic virus which has destroyed whatever it could, DDOS'd
everything it couldn't, and big chunks of your network are dead. On
multiple platforms simultaneously.
You're in a mode where everything has to be unplugged, and scrubbed
before reconnecting.
Ugh.
SQL slammer was inadvertently almost there. We're not an SQL shop, but
a few machines here and there had it enabled for one reason or another.
The propagation flood itself was so violent it took out non-Windows
services.
