AOL is configured to use a LAN(TCP/IP) connection which means its connecting
on port 5190 through our firewall and then setting up a virtual network over
that. When I get hit on port 80, I do a traceroute back to the port reported
by my intrusion detection software on my PC. That traceroute returned via
their virtual network to named system (server?) in their DNS space.
Our firewall is configured to block inbound port 80 so, up until yesterday,
I have literally 0 attempts of connections to port 80 over the past couple
of years. Our firewall is constantly scanned and blocks things accordingly.
Hence,
If one of their servers is attempting to access my PC via port 80 and send
me a CodeRed URL, then there is something wrong with their servers (my
opinion).
If one of their customers can attempt to connect to port 80 on my PC through
AOL's virtual network connection which AOL establishes, then any company or
person which allows AOL's virtual adapter to run is opening up a hole around
any network security which they might have; only software resident on the PC
might protect them. The implication, if this is true (and the same mechanism
is used for dial-up), is that AOL shouldn't be allowed to run on any system
unless that system has personal firewall software. AOL, by itself, should be
considered unsecure. If that were true and became public, I'd think AOL
would rapidly be out of business.
I've been approaching this assuming that my connection to them was solely to
their servers implying that they can control what "touches" my system. If,
when I connect, I am just another node in a virtual IP space which contains
all other active AOL connections and all systems can freely access my
system, then I need to seriously rethink AOL. I wouldn't think that my
system would have a resolvable name in their address space, but maybe so.
Next time I come up, I'll have to do a DNS lookup of my PC's IP address.
Incidentally, I enabled the AOL proxy this morning, connected to AOL, and
had another alarm in probably under 1 minute; different IP address but
everything else is the same.
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, September 12, 2001 12:41 PM
> To: william.wells
> Cc: [EMAIL PROTECTED]
> Subject: RE: AOL probe - "just" Code Red
>
> William---
>
> Are you getting your Internet access from AOL or do you have another
> Internet provide and connect to AOL through that?
>
> I'm no expert on AOL, but my understanding is that it's dial-up access
> uses
> it's own proprietary protocol, and it provide winsock-based IP access
> through it's own virtual network adaptor - at least this is how previous
> versions in the UK worked.
>
> If, however, you have a "proper" Internet connection (ie. broadband or
> proper PPP dialup), and you access AOL over that, then AOL uses it's own
> special port over IP to communicate with it's servers, and it's that port
> you need to allow through your IP firewall.
>
> However, unless you've set your personal firewall rules up correctly,
> there
> is no way you can stop ANY box TRYING to communicate with you on port 80,
> whether from AOL or not. If you're not running a web server of any kind
> on
> your box, then just block port 80, and don't bother configuring your
> firewall to notify you. There is so much background noise on the Internet
> that the value of receiving individual alerts is pretty meaningless
> (although it's obviously useful to look at longer term trends for the
> connections made to your box, to identify repeated connection attempts).
>
> So, although AOL may block communication via it's own protocol from other
> users, you should not rely on them to block anything else, whether from
> other AOL users of anyone on the Internet. You're being scanned at an IP
> level, not a proprietary AOL protocol level..
>
> If you've never been scanned before, that more due to your luck than
> anything else....
>
> Russell
>
>
> ----- Forwarded by Russell Donoff/GB/ABNAMRO/NL on 12/09/2001
> 18:38
> -----
>
>
> "william.wells"
>
> <william.wells@pr To:
> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>
> ovell.com> cc:
>
> Subject: RE: AOL probe -
> "just" Code Red
> 12/09/2001 18:21
>
>
>
>
>
>
>
>
>
> What you are saying implies that other AOL users could access my
> system from
> their systems while I was logged into AOL. I thought AOL blocked
> that -
> perhaps not. I'm still talking to AOL. I've never been scanned
> while on AOL
> previously.
>
>
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
