LISTSERV - HP3000-L Archives

HP3000-L Archives

July 2001, Week 5

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L July 2001, Week 5

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: A real threat, it appears
From:	Bruce Toback <[log in to unmask]>
Reply To:	Bruce Toback <[log in to unmask]>
Date:	Mon, 30 Jul 2001 19:01:30 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

Tom Emerson writes:

>The end
>result is that while the Unix firewall "held up" under attack (i.e., it did
>not affect other processes on the box), there is a very high likelihood
>that a similar attack on Microsoft products will either crash the system
>or "break through" and affect internal traffic.

This sounds like what Wirt Atmar has termed an "adult bogeyman story". As
anyone who's been unfortunate enough to read my past posts knows, I'm not
at all fond of most Microsoft software. But I've never seen any reviews
or reports indicating that high traffic rates will crash an NT system.
And the idea that high traffic rates will somehow "break through" seems
like it came from someone who didn't understand that "firewall" is a
metaphor, not a specification.

If you know of any reliable information indicating that NT is
intrinsically less reliable as a firewall platform, please post the
references so the rest of us can understand the issues.

>'Those that would do
>you harm' [the "negative" connotation of hacker/cracker] know this is
>typically the case and devise attacks against Microsoft products [and most
>likely originate these attacks from Unix systems...]

There have been many attacks devised against not only Linux, but Sun and
HP-UX as well. Most of the high-profile defacements (for example, the New
York Times) have been against Sun, just because Sun servers run so many
high-profile sites.

Moreover, the firewall you're running is irrelevant for the Code Red
worm. This attack happens to be especially pernicious because both the
probe packet and the attack packet look like ordinary HTTP transactions
to a firewall, which will happily let them through to a web server.

>this is drifting off-topic unless
>someone can point out how an HP might be adversly affected by "code red"
>running rampant through an intrAnet...)

Once the worm is on the intranet, it will use all available bandwidth to
attack servers outside the intranet. That's how I discovered an infected
system at my house: the modem here at the office that connects my home
network to the Internet had its RX light on almost solid. Nobody was home
at the time except the cats, and there's no way that two cats can
generate that much outbound network traffic. The high rate of outbound
traffic generated by the worm means that your users -- and your HPe3000
-- will be unable to transfer data through your Internet connection.

-- Bruce

--------------------------------------------------------------------------
Bruce Toback    Tel: (602) 996-8601| My candle burns at both ends;
OPT, Inc.            (800) 858-4507| It will not last the night;
11801 N. Tatum Blvd. Ste. 142      | But ah, my foes, and oh, my friends -
Phoenix AZ 85028                   | It gives a lovely light.
btoback AT optc.com                |     -- Edna St. Vincent Millay
Mail sent to [log in to unmask] will be inspected for a
fee of US$250. Mailing to said address constitutes agreement to
pay, including collection costs.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU