Basically what you are saying is that AOL should be treated no differently
then cable modem users on the @home.com networks, a long known issue.
Yes?
Thanks,
Ron DuFresne
On Wed, 12 Sep 2001, william.wells wrote:
> AOL is configured to use a LAN(TCP/IP) connection which means its connecting
> on port 5190 through our firewall and then setting up a virtual network over
> that. When I get hit on port 80, I do a traceroute back to the port reported
> by my intrusion detection software on my PC. That traceroute returned via
> their virtual network to named system (server?) in their DNS space.
>
> Our firewall is configured to block inbound port 80 so, up until yesterday,
> I have literally 0 attempts of connections to port 80 over the past couple
> of years. Our firewall is constantly scanned and blocks things accordingly.
>
> Hence,
> If one of their servers is attempting to access my PC via port 80 and send
> me a CodeRed URL, then there is something wrong with their servers (my
> opinion).
>
> If one of their customers can attempt to connect to port 80 on my PC through
> AOL's virtual network connection which AOL establishes, then any company or
> person which allows AOL's virtual adapter to run is opening up a hole around
> any network security which they might have; only software resident on the PC
> might protect them. The implication, if this is true (and the same mechanism
> is used for dial-up), is that AOL shouldn't be allowed to run on any system
> unless that system has personal firewall software. AOL, by itself, should be
> considered unsecure. If that were true and became public, I'd think AOL
> would rapidly be out of business.
>
> I've been approaching this assuming that my connection to them was solely to
> their servers implying that they can control what "touches" my system. If,
> when I connect, I am just another node in a virtual IP space which contains
> all other active AOL connections and all systems can freely access my
> system, then I need to seriously rethink AOL. I wouldn't think that my
> system would have a resolvable name in their address space, but maybe so.
> Next time I come up, I'll have to do a DNS lookup of my PC's IP address.
>
> Incidentally, I enabled the AOL proxy this morning, connected to AOL, and
> had another alarm in probably under 1 minute; different IP address but
> everything else is the same.
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 12, 2001 12:41 PM
> > To: william.wells
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: AOL probe - "just" Code Red
> >
> > William---
> >
> > Are you getting your Internet access from AOL or do you have another
> > Internet provide and connect to AOL through that?
> >
> > I'm no expert on AOL, but my understanding is that it's dial-up access
> > uses
> > it's own proprietary protocol, and it provide winsock-based IP access
> > through it's own virtual network adaptor - at least this is how previous
> > versions in the UK worked.
> >
> > If, however, you have a "proper" Internet connection (ie. broadband or
> > proper PPP dialup), and you access AOL over that, then AOL uses it's own
> > special port over IP to communicate with it's servers, and it's that port
> > you need to allow through your IP firewall.
> >
> > However, unless you've set your personal firewall rules up correctly,
> > there
> > is no way you can stop ANY box TRYING to communicate with you on port 80,
> > whether from AOL or not. If you're not running a web server of any kind
> > on
> > your box, then just block port 80, and don't bother configuring your
> > firewall to notify you. There is so much background noise on the Internet
> > that the value of receiving individual alerts is pretty meaningless
> > (although it's obviously useful to look at longer term trends for the
> > connections made to your box, to identify repeated connection attempts).
> >
> > So, although AOL may block communication via it's own protocol from other
> > users, you should not rely on them to block anything else, whether from
> > other AOL users of anyone on the Internet. You're being scanned at an IP
> > level, not a proprietary AOL protocol level..
> >
> > If you've never been scanned before, that more due to your luck than
> > anything else....
> >
> > Russell
> >
> >
> > ----- Forwarded by Russell Donoff/GB/ABNAMRO/NL on 12/09/2001
> > 18:38
> > -----
> >
> >
> > "william.wells"
> >
> > <william.wells@pr To:
> > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> >
> > ovell.com> cc:
> >
> > Subject: RE: AOL probe -
> > "just" Code Red
> > 12/09/2001 18:21
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > What you are saying implies that other AOL users could access my
> > system from
> > their systems while I was logged into AOL. I thought AOL blocked
> > that -
> > perhaps not. I'm still talking to AOL. I've never been scanned
> > while on AOL
> > previously.
> >
> >
> >
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
