North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Worms versus Bots
> William wrote: > but in our ISP office I setup new win2000 servers and first > thing I do is download all the patches. I've yet to see the > server get infected in the 20-30 minutes it takes to finish it It can happen in 5 or 10 minutes (I've seen it) but only if all of the following conditions are met simultaneously: a) administrator's password blank (or something _really_ easy to guess) b) public IP (no NAT) c) no firewall In other words: if one is stupid, one gets worm'ed or bot'ed. > (Note: I also disable IIS just in case until > everything is patched..). Not a bad idea, but sometimes you don't have the choice of doing it (with scripted installs or things like SBS). Besides, IIS is not the main source of trouble on a machine that sits on the Internet unprotected. I consider disabling IIS a second or third line of defense, to be used after you implemented the steps not to get screwed in the first place (which you described). > Similarly when settting up computers for several of my > relatives (all have dsl) I've yet to see any infection > before all updates are installed. Me too. > Additional to that many users have dsl router or similar > device and many such beasts will provide NATed ip block > and act like a firewall not allowing outside servers to > actually connect to your home computer. Indeed. I have a $10 one that I use for installations (even when I install from a "trusted" environment), because the danger does not come only from the Internet, it can also come from your own LAN. By putting the machine being installed alone on its own segment behind a NAT box, you also shield yourself from crud that could be on the trusted network. > On this point it would be really interested to see what > percentage of users actually have these routers and if > decreasing speed of infections by new virus (is there > real numbers to show it decreased?) have anything to > do with this rather then people being more carefull and > using antivirus. Difficult to measure, and here's why: recent worms are polymorphic and propagate/replicate using many different mechanisms. How do you make the difference between a) a worm that arrived trough email and then contaminated x machines on your LAN and b) a worm that arrived through a vulnerability of IIS and then contaminated x machines on your LAN? The trouble here is that if you had all the time in the world _and_ if you did not have x users screaming, you could look at logs and such and finally figure out which of the egg or the chicken was first. In a real world, you clean the mess and when you are done you have to catch up with all the stuff you did not do while cleaning, and you never know. Michel.