[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] could AOL be a hole that lets worms through corporate firewalls?
(dave if you post this, please kill the headers - people can contact me at my address below: ejg@ericglover.com)I am sure many companies hit real hard by the recent spat of worms/viruses thought "I have a firewall so no one can scan my internal systems". Unfortunately in some cases AOL can be a hole right in through their firewall allowing outsiders access into their system(s)Specifically - several months ago I noticed that zonealarm was reporting scans of my home desktop - although I have a hardware firewall (Linksys NAT box) connected to my cablemodem and this should prevent all unrequested IP packets.After some investigation, I determined that when the AOL client is run via TCP (not AIM, not AOL via the web), it creates a new virtual device with an AOL-assigned IP address. This IP address is valid and on the outside network. Packets sent to this address are tunneled through the AOL client and sent to the local machine - even if you have a strict firewall. Basically if AOL client can connect, packets from the outside can get in.How does this spread to other machines in your company network:If the machine running the AOL client (dialed in, or via TCP) does not have a software firewall (properly configured), and is susceptable, it becomes infected, and now can spread the virus/worm to other machines INSIDE of your firewall. Even if your internal network uses non-routable IP addresses (such as 10.X or 192.168.X), the AOL IP address IS valid and IS routable from the outside.A simple experiment: Take a machine inside of a corporate or other firewall that has zonealarm (configured to report attacks). Start the AOL client, and run win-ipconfig "ipconfig" (on Windows XP). Notice the AOL assigned IP address. Now try to "connect" to it. Maybe telnet to it, or make a web connection to it, or ping it - notice that any traffic sent to that address is sent right back to your own computer (via the AOL tunnel).I did some searching and found a posting 2 years ago about someone who believed AOL was tunneling Code-red data:http://www.netsys.com/firewalls/firewalls-2001-09/msg00177.html Later, Eric ejg@ericglover.com
------------------------------------- To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC