Since we started the Web Server Survey in 1995, a longstanding theme of Netcraft's internet exploration work has been the issue of how best to reassure webmasters and systems administrators that requests they may see originating from Netcraft's network are benign, and do not in any way convey aggressive intent.
Earlier today an RFC was published by Internet pioneer Steve Bellovin which addresses this scenario. Bellovin's idea is that the sender's intentions, whether good or bad, should be stated directly in the TCP header information using a security flag [termed the "evil bit" by Bellovin]. It is intended that network protection devices such as routers, firewalls and Intrusion Detection Systems should defend their networks against packets where the evil bit is set, but otherwise assume that traffic is benign. Groups aligning themselves with RFC 3514 include the FreeBSD project, [who have already coded an implementation] and the nmap scanner.
Further to our article on the widespread availability of WebDAV on Microsoft-IIS/5.0 sites, Roman Medina and Rafael Nunez have each published the sources to programs written to exploit the vulnerability.
Additionally, David Litchfield has produced a paper emphasizing that the problem is a core DLL in Windows 2000 that is possible to exploit without recourse to the published Microsoft-IIS WebDAV vulnerability.
Expert opinion is that no unpatched Windows 2000 machines are safe.
Netcraft's network exploration services may be useful for people managing large networks of Windows 2000 servers. In particular, we can report machines not yet rebooted since the availability of Microsoft's patch and determine availability of WebDAV functionality on those machines.
Please mail us if interested.
In the March 2003 survey we received responses from
Market Share for Top Servers Across All Domains August 1995 - March 2003
|Developer||February 2003||Percent||March 2003||Percent||Change|
Windows 2000 goes past one million IP addresses for the first time this month. Including sites running NT4 and Windows 2003, there are slightly over 1.5 million internet web sites running a Microsoft operating system.
On 17th March Microsoft issued a security alert regarding a buffer overflow vulnerability which allows attackers to execute arbitrary code on Windows 2000 machines. The vulnerability is triggered by the Microsoft-IIS/5.0 implementation of the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol and is specific to Microsoft-IIS/5.0 - WebDAV was not supported in Microsoft-IIS/4.0, and Microsoft-IIS/6.0 is reported to be unaffected.
Microsoft-IIS/5.0 runs about 9 million web sites on just over 1 million ip addresses, making it the most widely deployed web server that has WebDAV enabled by default. Many sites disable WebDAV: best practice dictates that features that are not used should be disabled, and the IIS Lockdown tool recommended by Microsoft can disable WebDAV. However, although the number of sites that have disabled WebDAV is significant, our own data indicates that around three quarters of Microsoft-IIS/5.0 servers have WebDAV enabled, implying that at the time of announcement there were over 6 million vulnerable web sites.
The actual vulnerability occurs in a system DLL called by the WebDAV component, not in the WebDAV support itself. There may be ways to exploit this vulnerability via other components, or even other products. There is believed to be an exploit already in the wild for this vulnerability, and Windows 2000 administrators should apply the patch as soon as possible. CERT have issued an advisory (CA-2003-09), and Microsoft have issued a patch (see bulletin MS03-007).
The patch requires a reboot to become effective, and we have noticed that over half of the Microsoft-IIS/5.0 servers on the internet were rebooted during a two day period after the annoucement. The number of sites rebooting sets a lower bound on the uptake of the patch [a reboot is necessary as part of the patch installation] but will overstate the number of patched systems, as some sites will have rebooted for other reasons.
In the February 2003 survey we received responses from
Market Share for Top Servers Across All Domains August 1995 - February 2003