[ale] AT&T Broadband blocking inbound http?

Mon Aug 13 23:43:25 EDT 2001

On Mon, 13 Aug 2001, Michael H. Warfield wrote:

> 	No, actually, you are not immune.  At least not from secondary
> effects.  The rampant traffic on the broadband nets was collapsing
> routers and forcing them to take action.  You and my son and myself
> and EVERYBODY ELSE was bitching about the service over the last couple
> of weeks and it was their infrastructure collapsing under the load of
> Code Red beating the bejesus out of all these IIS servers.  Thanks
> to M$, most of those users didn't even KNOW they had IIS running
> (IIS gets installed silently with certain packages OR if you are
> upgrading to Windows 2000 from anything with MS PWS on it - have a
> nice day...).

I have to agree. I've been using a script that calls bing (bandwidth
guesstimater) to monitor an associate's 768k circuit for several months. It
checks response times every 7 minutes. For the last two weeks the circuit has lost
between 7-12% of it's capacity. There hasn't been a big Sircam problem at this
location so one would have to conclude that it can be attributed to CR scans
across 2 class C's. So far, 363,432 (as of this writing) logged attempts via
snort at the choke point. There is NO web server on this network. The snort logs
were getting so unmanageable that I just turned off logging. Dropping packets at
the firewall does no good. It just increases the load on the box. Filtering at
the router seemed to be working for a few days, but now it's working pretty hard
too (cheap, OLD, Bay unit). Is it impacting their business operations? Not
really, but then again...they have 768k for 184 workstations. Some folks don't
have spare bandwidth, or contracted consultants/IS staff to help stem the tide
(or at least work up a sweat trying).

> 	In case some people were not paying attention to the security
> lists, this worm was causing Cisco routers to collapse and taking
> a huge number of firewalls and NAT routers to their knees.  If a worm
> blows away a router between you and the net because it filled some
> connection table with millions of entries, can you really say you
> are immune to the effects of the worm?

The Cisco issue is a HUGE deal for broadband providers, whose support calls have
gone through the roof since this thing started crashing those little 678 boxes.

> 	Whether it's an excuse or not, they had every right to cut off
> people who were in violation of their published AUP.  My personal
> option is that they should have cut off any Code Red propagators, period,
> with extreme prejudice.  They chose to cut off web servers of all types,
> which, given their contracts and level of service, is entirely appropriate
> and reasonable in the face of this emergency.

I agree totally. Under the circumstances, I'm sort of glad they shut things
down. I think it would be a mistake on their part to leave the filters in place
once the storm passes. No need to gripe about folks running a low traffic site
at their home. Napster/Gnutella users use much more bandwidth. But, all things
considered...they did the right thing. I just hope that they make it a temporary
solution for the sake of their customers who actually know what they're doing.
Just glad I'm not one of them...er...customers that is. No really, I know what
I'm doing...I think. The Apache IIS RPC cgi-bin thingy listens on port 139
right??? I gotta get more O'Reilly books...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.