Code Red alert: Make sure you sweat the small stuff
- By William Jackson
- Aug 16, 2001
A friend who manages a small network with three servers recently told me this tale of woe.
On the morning of July 19 his connection to the Internet became intermittent, and by noon it was virtually gone. He was annoyed but not suspicious because that sort of slowdown had happened before.
Imagine his surprise when his Internet service provider phoned to say he had been purposely taken offline because his network was generating Code Red denial-of-service attack traffic.
He was the 30th customer the provider had identified as harboring the Code Red worm. Apparently the worm's scanning for other vulnerable systems was what had degraded his Internet access earlier in the day.
'My 384-Kbps pipe was totally sucked down,' he said. 'It essentially brought down the entire ISP.'
This incident yet again points up the necessity of keeping system patches up-to-date. All of them.
The Code Red worm, programmed to attack the www.whitehouse.gov
Web site, exploited a security vulnerability discovered in Microsoft Internet Information Server software, which by default is installed on Web servers running Windows NT, 2000 or XP.
Microsoft Corp. on June 18 released a patch for the IIS flaw, but a month later hundreds of thousands of servers lacking the patch were compromised by Code Red.
'I had applied the patch to my main Web server' during a routine update, my friend said. 'But with a third-tier machine that you don't pay a lot of attention to ' I didn't even know it had IIS. It was on by default.'
Code Red didn't care whether it was a front-line or a third-tier machine. Once it found an opening, it moved in and made itself comfortable, then set about looking for other vulnerable machines.
Fortunately, the results were not disastrous.
The White House Web site dodged the bullet by changing its IP address, and my friend managed to get back online quickly. He turned off IIS on his servers and was reconnected. Then he downloaded and installed the missing patch, brought the servers up and was back in business.
'It took less than five minutes,' he said, once he knew what the problem was.
He's good about keeping security patches updated and faults Microsoft for forcing him into the position of being a potential enemy of the White House.
The vulnerability and patch were well-publicized in June, however. At the time, the IIS hole was just one of a myriad of vulnerability announcements that administrators get, and it didn't look urgent because there was no worm exploiting it. By the time the worm arrived, it was almost too late.
All of which goes to show that you have to sweat the small stuff. Any machine is important if it is vulnerable, and any vulnerability is important if exploited. All your hard work on the big stuff can be for naught if you let the little stuff slide.
William Jackson is freelance writer and the author of the CyberEye blog.