AOL hasn't gotten back to me on if this is expected behavior or not. Since
it just started, I'm inclined to believe that something is amiss at AOL. My
primary reason for writing to y'all was to confirm that the URL and activity
I was seeing was consistent with Code Red and to see if y'all could provide
some ideas for investigating this. If someone else was seeing this, that
would also eliminate my PC's configuration and our Corporate environment
from the mix.
Rod wrote:
Basically what you are saying is that AOL should be treated no differently
then cable modem users on the @home.com networks, a long known issue. Yes?
I'm still waiting for some response from AOL. However, if this is normal -
that is, there are no clamps which tie the connections which utilize their
virtual network to their servers, then you have to assume that any use of
AOL's virtual network (which they seem to be using for dial-up and/or LAN
connections - that is everything) could allow any connection attempt to hit
a PC running AOL regardless of modem or firewall settings. The only
potential way to protect against AOL is to run firewall software on the
individual PC. I'm not a PC firewall guru to know if their virtual network
adapter could get around a firewall or not.
I think this is somewhat different than a cable modem in that you can
connect a firewall between the modem and your home network. In this case,
the firewall wouldn't protect your network since AOL would blow right
through it.
Again, my feeling is that there is either some weird configuration on my
system which I can't explain nor remember making or that there is something
amiss at AOL which they will resolve. Thus far, I've only had people take
information from me at AOL to pass along to others. The general feeling at
AOL is that their security is so tight that there is no way they could
possibly be sending me a Code Red URL or that I need to talk to Microsoft
Windows 95 support; that is, it must be Windows or a network problem (I
don't understand that idea). Supposedly, the people in Virginia were made
aware of my experiences this morning.
I'm not ready to agree with Ron's summary yet. However, I'm also not
comfortable enough with what I'm seeing to re-enable AOL on the Corporate
firewall except when I'm trying another test. If it turns out that what I'm
seeing is normal, then AOL won't be enabled on the Corporate firewall.
To provide the latest information from this mornings test (essentially what
I've sent AOL). Suggestions are very welcome.
---- Mail snippet follows:
All times are Central. My PC clock is approximately 3 minutes fast.
Yesterday, when I logged into AOL from work, my intrusion detection software
on my PC reported that one of your servers attempted to connect to port 80
(http) on my PC using a URL which has been associated with Code Red. Until
yesterday, I have NEVER had an intrusion alarm when accessing AOL under any
conditions which makes the following very worrisome.
Yesterday, when I encountered the alarm, I killed outbound AOL access
through my firewall. I just re-enable AOL access and tried again. Once
again, within a minute or two, I have an intrusion alarm. The alarms are:
Tue Sep 11 13:19:21 HTTP request from 172.165.224.93: GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u685...
Wed Sep 12 10:25:10 HTTP request from 172.173.194.54: GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u685...
Today's trackback from my PC is (copied by hand):
C:\WINDOWS\tracert 172.173.194.54
Tracing route to ACADC236.ipt.aol.com [172.173.194.54]
over a maximum of 30 hops:
1 874 ms 775 ms 888 ms ipt-mq05.proxy.aol.com [64.12.101.234]
2 928 ms 942 ms 879 ms tot5-mc2-G4-0.proxy.aol.com [64.12.101.251]
3 890 ms 846 ms 826 ms ipt-mp04.proxy.aol.com [64.12.101.223]
4 2327 ms 2291 ms 2146 ms ACADC236.ipt.aol.com [172.173.194.54]
Our firewall is configured, when AOL is enabled, to allow transparently
outside access on port 5190 to any server on the following networks; 64.12,
152.163, and 205.188. The first hops on the traceroutes are to servers on
the 64.12 networks. The 172.173.194.54 system is only accessible via your
AOL adapter software (when I drop AOL, that system is no longer accessible).
"Transparency" means, among other things, that there are no special
configurations or settings on my PC, Internet Explorer (see below), or AOL.
This configuration has worked for years.
Other than setting AOL to use a LAN (TCP/IP) in the Setup box, no other
changes or proxy settings are set. I am not in the web browser when this
occurs; I am completely within the AOL software. The intrusion alarm only
occurs when logged into AOL and the IP addresses involved are only AOL's
systems.
> -----Original Message-----
> From: Ron DuFresne [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, September 12, 2001 4:31 PM
> To: william.wells
> Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
> Subject: RE: AOL probe - "just" Code Red
>
>
> Basically what you are saying is that AOL should be treated no differently
> then cable modem users on the @home.com networks, a long known issue.
> Yes?
>
> Thanks,
>
> Ron DuFresne
>
>
> On Wed, 12 Sep 2001, william.wells wrote:
>
> > AOL is configured to use a LAN(TCP/IP) connection which means its
> connecting
> > on port 5190 through our firewall and then setting up a virtual network
> over
> > that. When I get hit on port 80, I do a traceroute back to the port
> reported
> > by my intrusion detection software on my PC. That traceroute returned
> via
> > their virtual network to named system (server?) in their DNS space.
> >
> > Our firewall is configured to block inbound port 80 so, up until
> yesterday,
> > I have literally 0 attempts of connections to port 80 over the past
> couple
> > of years. Our firewall is constantly scanned and blocks things
> accordingly.
> >
> > Hence,
> > If one of their servers is attempting to access my PC via port 80 and
> send
> > me a CodeRed URL, then there is something wrong with their servers (my
> > opinion).
> >
> > If one of their customers can attempt to connect to port 80 on my PC
> through
> > AOL's virtual network connection which AOL establishes, then any company
> or
> > person which allows AOL's virtual adapter to run is opening up a hole
> around
> > any network security which they might have; only software resident on
> the PC
> > might protect them. The implication, if this is true (and the same
> mechanism
> > is used for dial-up), is that AOL shouldn't be allowed to run on any
> system
> > unless that system has personal firewall software. AOL, by itself,
> should be
> > considered unsecure. If that were true and became public, I'd think AOL
> > would rapidly be out of business.
> >
> > I've been approaching this assuming that my connection to them was
> solely to
> > their servers implying that they can control what "touches" my system.
> If,
> > when I connect, I am just another node in a virtual IP space which
> contains
> > all other active AOL connections and all systems can freely access my
> > system, then I need to seriously rethink AOL. I wouldn't think that my
> > system would have a resolvable name in their address space, but maybe
> so.
> > Next time I come up, I'll have to do a DNS lookup of my PC's IP address.
> >
> > Incidentally, I enabled the AOL proxy this morning, connected to AOL,
> and
> > had another alarm in probably under 1 minute; different IP address but
> > everything else is the same.
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> [SMTP:[EMAIL PROTECTED]]
> > > Sent: Wednesday, September 12, 2001 12:41 PM
> > > To: william.wells
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: AOL probe - "just" Code Red
> > >
> > > William---
> > >
> > > Are you getting your Internet access from AOL or do you have another
> > > Internet provide and connect to AOL through that?
> > >
> > > I'm no expert on AOL, but my understanding is that it's dial-up access
> > > uses
> > > it's own proprietary protocol, and it provide winsock-based IP access
> > > through it's own virtual network adaptor - at least this is how
> previous
> > > versions in the UK worked.
> > >
> > > If, however, you have a "proper" Internet connection (ie. broadband or
> > > proper PPP dialup), and you access AOL over that, then AOL uses it's
> own
> > > special port over IP to communicate with it's servers, and it's that
> port
> > > you need to allow through your IP firewall.
> > >
> > > However, unless you've set your personal firewall rules up correctly,
> > > there
> > > is no way you can stop ANY box TRYING to communicate with you on port
> 80,
> > > whether from AOL or not. If you're not running a web server of any
> kind
> > > on
> > > your box, then just block port 80, and don't bother configuring your
> > > firewall to notify you. There is so much background noise on the
> Internet
> > > that the value of receiving individual alerts is pretty meaningless
> > > (although it's obviously useful to look at longer term trends for the
> > > connections made to your box, to identify repeated connection
> attempts).
> > >
> > > So, although AOL may block communication via it's own protocol from
> other
> > > users, you should not rely on them to block anything else, whether
> from
> > > other AOL users of anyone on the Internet. You're being scanned at an
> IP
> > > level, not a proprietary AOL protocol level..
> > >
> > > If you've never been scanned before, that more due to your luck than
> > > anything else....
> > >
> > > Russell
> > >
> > >
> > > ----- Forwarded by Russell Donoff/GB/ABNAMRO/NL on 12/09/2001
> > > 18:38
> > > -----
> > >
> > >
> > > "william.wells"
> > >
> > > <william.wells@pr To:
> > > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> > >
> > > ovell.com> cc:
> > >
> > > Subject: RE: AOL
> probe -
> > > "just" Code Red
> > > 12/09/2001 18:21
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > What you are saying implies that other AOL users could access
> my
> > > system from
> > > their systems while I was logged into AOL. I thought AOL
> blocked
> > > that -
> > > perhaps not. I'm still talking to AOL. I've never been scanned
> > > while on AOL
> > > previously.
> > >
> > >
> > >
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
