FW: Worms versus Bots

Jeff Shultz jeffshultz at wvi.com
Fri May 7 15:43:09 UTC 2004


** Reply to message from Chris Adams <cmadams at hiwaay.net> on Fri, 7 May
2004 09:45:36 -0500

> Once upon a time, Alexei Roudnev <alex at relcom.net> said:
> > Any simple NAT (PNAT, to be correct) box decrease a chance of infection by
> > last worms to 0. Just 0.0000%.
> 
> The problem is that Joe User (or his kid) wants to run some random P2P
> program without having to reconfigure NAT port mappings, so they have
> all inbound connections mapped to a static internal IP.  When the worms
> come knocking, the connections go right through and the static IP system
> gets infected, which then infects the Mom's computer, etc.; then you
> have 2+ times as much worm traffic sourced from that single public IP
> because there are multiple computers scanning.

If Joe (L)User  or his kid sets up his NAT that way... well, quite
honestly he gets what he deserves. Protecting against active,
deliberate stupidty is probably more than my job description coveres. I
do get paid to clean up the mess afterwards however. And in at least
one case I have set it up for a customer that they are behind a NAT
that they can't reconfigure - 3 strikes and I was out of patience. 

But I suggest that in my experience the above sort of thing is
relatively rare. 

> 
> NAT does help if you just put necessary port mappings in place (and only
> for "secure" protocols).

I don't know about that last part - do you consider http and ftp to be
secure protocols?

-- 
Jeff Shultz
A railfan pulls up to a grade crossing hoping that
there will be a train. 




More information about the NANOG mailing list