[Gllug] Code Red worm sleeps?

will will at hellacool.co.uk
Wed Aug 1 16:37:50 UTC 2001


----- Original Message -----
From: "Richard Cohen" <richard at vmlinuz.org>
To: <gllug at linux.co.uk>
Sent: Wednesday, August 01, 2001 5:18 PM
Subject: Re: [Gllug] Code Red worm sleeps?


> I just had a thought - talking to a collegue here.  What would it take to
> write something which fit the following:
>
> Any machine from which an attack originates is unpatched and vunerable.
> How about a counter-virus which would utilise the known vunerability on
the
> attacking machine to both wipe out the worm from that machine, and install
> the patch (or something smaller and simpler, maybe) such that the machine
is
> then no longer vunerable?
>
> Purely a thought experiment, but still...

This has already been done.  I forget the name but there was that redhat
worm and someone released a fix-worm that used the exploit that the first
worm used to gain access, patched the computer and moved on using the same
scanning technique.

I would be interested in the feasibility and legality of actually
retaliating against a DDOS attack though.  The machines involved will mostly
be doze machines with vulnerabilities and you should be able to get the IP's
of the illegitimate connections (statistically, avoiding the legitimate
ones) and knock them out (teardrop?) at least for a while, that way you
would seriously limit the flow of packets to the box under attack.  How
legal this would be I don't know.

will.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list