Don't ignore network level filtering
Posted Jan 30, 2003 0:14 UTC (Thu) by jneves
Parent article: A look at the MS-SQL worm
That is, Microsoft users were attaining a 99%
patch and/or secure rate of systems publicly visible to the worm.
This is a pretty good compliance rate.
This number is ignoring the way a lot of the machines were protected. For instance, in Portugal, I know for a fact that the second biggest ISP refused all traffic to port 1434. This allowed several thousands of companies and vulnerable machines to avoid the attack.
I believe this to be a direct result of Code Red, nimda and others. ISPs developed ways of reacting to worms and distributed attacks. I've seen how well it worked here (by "well" I mean that damage was averted) and I think that a lot more ISPs and some big companies did the same: filtered the attack at the network level.
This means that, if only 1% of the potential machines were affected, it has as much to do with Microsoft and its users as to how network administrators deal with distributed and/or worm attacks.
to post comments)