> -----Original Message----- > From: Ron DuFresne [mailto:[EMAIL PROTECTED] > Sent: Monday, July 28, 2003 10:46 AM > To: Schmehl, Paul L > Cc: Robert Wesley McGrew; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c) > > And those sites during slammer that blocked 1434, as was > advised when the patch was made available, though it was > advised even long before that, were largely unafected. Sites > that are properly blocking 135 and it's protocolcs will most > likely be unaffected from any new worm wishing to exploit > this repeat problem with DCOM/RPC. > This is simply and plainly false. I don't know why people can't seem to grasp this. I know of several major corporations who not only had 1434/UDP blocked at the firewall but also on a number of internal routers *and* had aggressive patching programs, and they *still* suffered from Slammer. All it takes is *one* infected box *inside* the network to negate all the hard work you've done trying to keep the worm out.
When you have 150,000 machines worldwide, having 1% of those unpatched (which is a 99% *success* rate) means you have 1500! vulnerable machines. Most situations that I'm familiar with were in the tens - not even the hundreds - but it only took 10 or 15 machines to take down the entire network due to the nature of that worm. 10 or 15 boxes represents 1/100th of a percent of the total, yet that small number could completely destablize a network and cause untold hours of work for the admins and networking staff. Now anybody who wants to tell me that a 0.01% failure rate in a patching program proves the admins are incompetent is simply ignorant of the issues. I guess it's just impossible for people who don't actually run a large network to grasp the nature of the issues. You build your little home network, you put up a FreeBSD box as a NAT/Router/Firewall, and you think you understand networking in a large enterprise? You haven't a clue. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
