[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Code-Red 2 - and IIX



On Thu, Aug 09, 2001, Hetz Ben Hamo wrote about "Code-Red 2 - and IIX":
> Hi people,
> 
> I'm looking at my apache logs - and I'm amazed how this attack still continue 
> to affect the net perfomence - and specially - the IIX - the IIX lately 
> becomes so slow - Walla for example loads after 15-60 seconds. Before it was 
> 2-3 seconds on ADSL..

Are you sure it is the IIX?
DSL and cable ISPs in the U.S. are reporting meltdown of their networks
because of ARP floods (machines inside the ISP's network are each trying
to contact hundreds of other machines, sending out thousands of ARP requests,
and some routers were just not designed for such a behavior).

So while it is possible the problem is in the IIX, it can also a problem
inside your own provider.

Several huge ISPs in the U.S., most notably Verizon, have started blocking
incoming port 80 on their network (they claim it's because of the worm, but
I suspect they have different agenda).

> Is there a mailing list where sys admins from all the ISP's in Israel are 
> participating?

I don't know about that, but NANOG (nanog.org) is the mailing list where
American ISPs meet.

Just got another Israeli spam... :( I'm mad about the Israel ISPs now...
Well, at least these spamming idiots have a 1-800 number on their web-site.
It is ok for me to call it and "find out" more about that company, isn't it?
And what if it takes me 5 calls to make sure the number is correct? ;)

> I don't see for example why Netivisions (and other ISP's?) are not sending 
> emails explaining the situations and giving instructions to eliminate it...

Eliminate what? If you have a broken system and haven't fixed it yet (despite
over a month everybody is talking about it), they should just cut your service
off! If the ISPs did that (and it's *trivial* to do it), the code red attack
will stop in a couple of days.

By the way, if I remember correctly, code red II will go to rest on the 20th,
waking up on September 1st again.


> [kde21@gorgeous kde21]$ whois 212.143.101.43@whois.ripe.net | tail -n 10
> address:      Talking Picture
> address:      , Tel Aviv , Israel
> phone:        +972-3-5105190
> fax-no:       +972-3-5105636
> nic-hdl:      YT202-RIPE
> changed:      hostmaster@netvision.net.il 20000313
> source:       RIPE

Damn, I checked and the spammers that sent me the spam aren't vulnerable.
That's too bad ;)

> So if it takes from me 2 minutes to find a person - how come NONE of the 
> ISP's are checking their clients? they got all the info needed...

Are you sure these people actually fixed it after your call?
Probably not.
Until something really bad happens to them (either a worm distroys their
files or the ISP cuts them off), 90% of them will probably not care to fix
it. I bet the typical response to your call will be "Internet Information
Server? What is that? explorer.exe? Where can I find that on my Start
button?"...

Last night I got probes from dozen of dialup users - none of them
can be contacted with the whois trick - only the ISPs know who they are
and how to block their account.

P.S. I wonder if Microsoft or the BSA are collecting IP addresses of infected
machines. I bet that many of them have illegal copies of IIS and/or Windows
2000.

-- 
Nadav Har'El                        |        Thursday, Aug  9 2001, 21 Av 5761
nyh@math.technion.ac.il             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |It's fortunate I have back luck - without
http://nadav.harel.org.il           |it I would have no luck at all!

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il