RE: Publishing Nimda Logs

From: Steve Zenone (Zenone@cats.ucsc.edu)
Date: 05/08/02


From: "Steve Zenone" <Zenone@cats.ucsc.edu>
To: <INCIDENTS@securityfocus.com>
Date: Wed, 8 May 2002 11:48:27 -0700

Hello,

Mally Mclane wrote:
|9 times out of 10, if you want contact information, the RIPEdb will supply
|*correct* contact information. And ops@ripe.net will *always* try to help
|you out if you don't get correct contact information.

I agree - I've had fairly decent luck with ops@ripe.net. A part of the
problem, as I see it, is the quantity of systems actively performing
NIMDA scans. As already mentioned within this thread, the IDS logs are
enormous per day as a result of all of the scans.
 
A large number of the source IPs pull up bogus info when querying the
ripe database (e.g., `whois ip@whois.ripe.net`) and getting results that
have email addresses that point to the bitbucket. I am unclear what the
most common cause for this is (outdated data within the database?)

The other part of the problem has also been brought up is that systems
just aren't being patched and/or installed correctly, thus fueling the
automated attacks and noise on the networks.

From an incident response standpoint, the load is very demanding as the
number of systems actively performing NIMDA scans grows/continues.

What has been frustrating out of all of this is once a correct contact
has been established, response has been less than satisfactory. On the
positive side, I admit that the percentage of responses from
notifications has increased, albeit still small in number.

Lastly, the problem with publishing Nimda infected systems is that it
would be that much more trivial for an attacker to dump all of that
data into an automated tool that would only target those systems (their
logs would only show a small subset of the entirety of the list). The
damage could be much worse than what we're seeing from Nimda if someone
had such intentions.

Why provide the reconnaissance? Then again, maybe someone would feed that
info into an attack that ends up patching the systems (well, that would
probably break a number of systems too, thus causing a DoS - not good).

Regards,
Steve

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Romney under friendly fire for his response to embassy attack in Libya
    ... American diplomatic missions in Egypt and Libya go down as the misstep ... Romney released a scathing statement on Tuesday night blasting the ... Obama administration for its "disgraceful" response to the attacks. ...
    (talk.politics.guns)
  • Re: Strider: U.S. violation of UN charter
    ... >>This was my response: ... >>attacks, 11% unknown agents(defined in the study as attacks against ... the slaughter in Iraq is not Iraqis killing Iraqis, ... I don't understand why you don't think criminals count as Iraqi's. ...
    (rec.martial-arts)
  • Re: In the year of 79
    ... picking another snitty, grudge-based fight with me. ... And now you'll post 10 more toothless attacks on me in upcoming days, ... And your behavior toward me in RMD ... response from you that followed...you are so predictable...never ...
    (rec.music.dylan)
  • Re: Strider: U.S. violation of UN charter
    ... >This was my response: ... >attacks, 11% unknown agents(defined in the study as attacks against ... who is currently killing Iraqi civilians." ... hobby out of spotting the logical fallacies coming from your wing. ...
    (rec.martial-arts)
  • Mitt Romneys response to the attacks on U.S. diplomatic sites in Egypt and Libya -- which le
    ... Priebus Posturing: RNC Chair Crosses Last Line of Political Propriety ... Mitt Romney's response to the attacks on U.S. diplomatic sites in ... Egypt and Libya -- which left a U.S. ambassador and other diplomats ... disgraceful that the Obama Administration’s first response was not to ...
    (soc.retirement)