lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040123114411.GC1711@schlund.de>
From: anders at schlund.de (Anders Henke)
Subject: Re: More info on blocking the Bagle worm

On Jan 20th 2004, Anders Henke wrote:
> A few notes on the impact of beagle from an ISP's point of view - our 
> company is hosting 10 out of the 35 sites listed at 
> http://vil.nai.com/vil/content/v_100965.htm (we're hosting 3.5M of
> domains and also our largest competitor does host 9 beagle-sites, so
> don't wonder or misinterpret the "high" percentage).

A few more current informations:
-the first mass of beagle requests against sites hosted here started on 
 Sunday 18th around 12:35 (AM) local time from a couple of dsl-lines 
 in Germany and Belgium, followed a few seconds later by other 
 dialup-ips from Canada, the USA and eastern europe.

A few stats for the last few days for HTTP-requests on /1.php using
the useragent "beagle_beagle", summarized from 8 out of the 10 
beagle-attacked sites hosted here; the remaining two sites are hosted 
on either customer-operated or non-unix-boxes, so gathering statistics
for them is not too easyly automatable for me:

Sun 18/Jan/2004: 4426 different IPs, 312079 hits
Mon 19/Jan/2004: 151599 different IPs, 15282351 hits
Tue 20/Jan/2004: 249976 different IPs, 25252216 hits
Wed 21/Jan/2004: 271682 different IPs, 30467877 hits
Thu 22/Jan/2004: 265435 different IPs, 30017118 hits

The hitrate varies by daytime of affected IPs; as most IPs are located 
in Europe (as well as we are), the hitrate does follow the same 
graphs you usually see e.g. in access or bandwith usage.

>From a non-representative glance at a few hundred IPs, almost
all infected hosts are dropping or rejecting incoming traffic 
to Port 6777.
The sympoms of this are the same ones experienced with
-personal as well as professional firewalls (dropping traffic,
 rejecting with tcp-reset or icmp-prohibited),
-Cisco-Routers using ACLs ("no route to host"-symptom for certain
 tcp, but not e.g. icmp traffic),
-a few requests are also made via (transparent?) proxies and
 contain X-Forwarded-For-HTTP-Headers, many also seem to be
 located behind NAT-gateways.
Only about 2% of tested hosts are really accessible on port 6777.


My interpretation of those numbers is that on the one hand, most users
today seem to be at some level protected from network attacks (or their
ISPs have timely implemented access rules against such abuse) as well
as the slowly decreasing number for Thursday's hits gives the impression
that people are keeping their virus scanners quite current. 

On the other hand the strong spread within the first 48 hours makes
one ask the question why such "security-aware" users still do manually
click on executables attached to a stranger's "Test"-mail without thinking.
As the strong spread of massmailer-viruses, trojan horses or worms 
during the last few years, people should better know; maybe those people
do believe to be protected from "evil packets" by firewalls and virus
scanners ...


Regards,

Anders
-- 
Schlund + Partner AG              Security
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ