RE: Publishing Nimda Logs

From: Alexander Sarras (ABG) (Alexander.Sarras@abg.ericsson.se)
Date: 05/08/02


From: "Alexander Sarras (ABG)" <Alexander.Sarras@abg.ericsson.se>
To: "'Ron DuFresne'" <dufresne@winternet.com>, vuln-dev@securityfocus.com
Date: Wed, 8 May 2002 09:11:43 +0200 


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yep!
Right!

After - one could say - years of frustration over non-response,
ignorance, rudeness in response to natofications, begging and pleading
to DO SOMETHING about this or that problem from ISP's (I admit there
where very notable exceptions) and admins (also some very positive -
from my point of view - reactions) I am very much for it.

Just as long as there is also a "case history" attached, so everybody
can see what was done to stop that abuse. I'm thinking here in terms of
3 notification (attempts even, if RIPE or ARIN info is false, it's
their problem, not ours) within two months and nothing changing for the
better should qualify for an entry. And sorted by time of entry, oldest
on top....

I do not think this could be constructed as helping with dDoS attacks
or the like. Even if somebody tried that, I can (and will) always
argue: I am allowed to put a report of how I have to use _my_ time and
_my_ resources on _my_ webpage.

Just saying:
- -> This is a terrible idea. This isn't advertizing, it is creating an
- -> easy report to generate the largest denial of service platform the
world has
- -> ever seen. There is nothing stopping me from using said scan to
upload a
- -> "patch" to those servers and block access to others but retrain
control myself.
or something in those lines leaves out a very important fact. My having
to use time and resources to block those scans, atttacks, whatever,
keeping my routing and firewall rules up to date because of this,
assigning space for logs BECAUSE OF THIS, already is a
_theft_of_service_ in some way. It's my time, my money, my resources
which go down the drain and I would very much like to see that stop.

If whole netspaces get blocked because of this, I'm fine with that,
even if it would concern my own ISP. The machine I use at home uses an
unpublished IP address (no servers running) and it got about 25 nimbda
(not counting multiple scans from the same source IP) scans per hour at
weekends last month. And that's just one IP address.

So, go ahead, publish!

A.Sarras

> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne@winternet.com]
> Sent: Wednesday, May 08, 2002 12:48 AM
> To: Chip McClure
> Cc: Deus, Attonbitus; vuln-dev@securityfocus.com
> Subject: Re: Publishing Nimda Logs
>
>
>
>
> I've also pretty much given up on trying to clue folks to nimda
> issues they still have, same with code red variants which are still
> plentiful.
> I've started to blackhole whol IP blocks due to this problem. Some
> companies, even when notified of their systems compromise and their
> being used to further attack other systems don't even take the time
> to either investigate, nor repair such systems. We've taken to
> having to block the whole netspace for many sites, such as the City
> of
> Ashland in
> Oregon, (NETBLK-SPRINT-D00150-2) SPRINT-D00150-2 208.1.80.0 -
> 208.1.83.255, whose systems are so infested with code-red and nimda
> variants and who fail as well as Sprint, their upstream provider, in
> taking any action about their systems attacks on others on
> the Internet
> infamous highway. We tried to actually call and talk to
> their techs and
> were rudely hung up on, this after over 6 months of
> notifications to them
> and their upstream ISP Sprint. Although Jose Nazario does
> mention these
> systems can be 0w3d after a publication of IP's of infected
> systems, I'm
> at this point not caring if they get taken. They are a pain
> and further
> spreading their problem as it is. I suspect many of these
> systems are at
> least partially 0w3d and used as DDOS mechanisms already. The hame
> of shame list should include the ISP's in question too, the
> upstreams have
> been notified as well as the direct offender, most many times
> over many
> months. Nothing else has worked...
>
> Thanks,
>
> Ron DuFresne
>
 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA+AwUBPNjQU3/j44UBWb5aEQL6fwCgvoFaGeNmr1Ly4t1yzmADuLu+aFYAl0+5
yzBW/wkaS68mTky+SMM6mlQ=
=F2Bk
-----END PGP SIGNATURE-----