[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040123114411.GC1711@schlund.de>
Date: Fri, 23 Jan 2004 12:44:11 +0100
From: Anders Henke <anders@...lund.de>
To: Gadi Evron <ge@...uxbox.org>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: More info on blocking the Bagle worm
On Jan 20th 2004, Anders Henke wrote:
> A few notes on the impact of beagle from an ISP's point of view - our
> company is hosting 10 out of the 35 sites listed at
> http://vil.nai.com/vil/content/v_100965.htm (we're hosting 3.5M of
> domains and also our largest competitor does host 9 beagle-sites, so
> don't wonder or misinterpret the "high" percentage).
A few more current informations:
-the first mass of beagle requests against sites hosted here started on
Sunday 18th around 12:35 (AM) local time from a couple of dsl-lines
in Germany and Belgium, followed a few seconds later by other
dialup-ips from Canada, the USA and eastern europe.
A few stats for the last few days for HTTP-requests on /1.php using
the useragent "beagle_beagle", summarized from 8 out of the 10
beagle-attacked sites hosted here; the remaining two sites are hosted
on either customer-operated or non-unix-boxes, so gathering statistics
for them is not too easyly automatable for me:
Sun 18/Jan/2004: 4426 different IPs, 312079 hits
Mon 19/Jan/2004: 151599 different IPs, 15282351 hits
Tue 20/Jan/2004: 249976 different IPs, 25252216 hits
Wed 21/Jan/2004: 271682 different IPs, 30467877 hits
Thu 22/Jan/2004: 265435 different IPs, 30017118 hits
The hitrate varies by daytime of affected IPs; as most IPs are located
in Europe (as well as we are), the hitrate does follow the same
graphs you usually see e.g. in access or bandwith usage.
>From a non-representative glance at a few hundred IPs, almost
all infected hosts are dropping or rejecting incoming traffic
to Port 6777.
The sympoms of this are the same ones experienced with
-personal as well as professional firewalls (dropping traffic,
rejecting with tcp-reset or icmp-prohibited),
-Cisco-Routers using ACLs ("no route to host"-symptom for certain
tcp, but not e.g. icmp traffic),
-a few requests are also made via (transparent?) proxies and
contain X-Forwarded-For-HTTP-Headers, many also seem to be
located behind NAT-gateways.
Only about 2% of tested hosts are really accessible on port 6777.
My interpretation of those numbers is that on the one hand, most users
today seem to be at some level protected from network attacks (or their
ISPs have timely implemented access rules against such abuse) as well
as the slowly decreasing number for Thursday's hits gives the impression
that people are keeping their virus scanners quite current.
On the other hand the strong spread within the first 48 hours makes
one ask the question why such "security-aware" users still do manually
click on executables attached to a stranger's "Test"-mail without thinking.
As the strong spread of massmailer-viruses, trojan horses or worms
during the last few years, people should better know; maybe those people
do believe to be protected from "evil packets" by firewalls and virus
scanners ...
Regards,
Anders
--
Schlund + Partner AG Security
Brauerstrasse 48 v://49.721.91374.50
D-76135 Karlsruhe f://49.721.91374.225
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists