RE: Publishing Nimda Logs == BAD IDEA

From: Rob Keown (Keown@MACDIRECT.COM)
Date: 05/09/02


From: Rob Keown <Keown@MACDIRECT.COM>
To: 'Dug Song' <dugsong@monkey.org>, incidents@securityfocus.com, vuln-dev@securityfocus.com
Date: Wed, 8 May 2002 18:36:20 -0400 

Extremely well put. The solutions are education and continued evolution of
AV and IDS technologies (to name a few). Education for the uninformed. How
about some television commercials funded by a consortium of security
companies, etc. A web clearinghouse for the non-saavy users (there are ones
out there now but they need to be promoted).

There are probably many other good ideas, along with some responsible
journalism.

-----Original Message-----
From: Dug Song [mailto:dugsong@monkey.org]
Sent: Wednesday, May 08, 2002 2:27 PM
To: incidents@securityfocus.com; vuln-dev@securityfocus.com
Subject: Publishing Nimda Logs == BAD IDEA

for those of you who have asked:

the presentation i gave at CanSecWest is a preliminary dump of the
data we'll be presenting at the FIRST conference next month. both the
presentation and the updated research report will be made available
from the Arbor website at that time.

we will NOT, however, be publishing a comprehensive list of infected
IPs (we have over 5 million of them, since September 2001). here are
the reasons why:

1. such a list would be useless to the general public. NOBODY in their
   right mind would try to block all the individual IPs in such a
   list, for they change far too much, and are far too widely
   distributed to effect useful filters. these worm infection attempts
   are more of a nuisance than a threat to sites that would actually
   block them, anyway - so the ORBS/RBL analogy is pretty weak.

2. such a list would only benefit remote attackers. because Nimda is
   fairly localized (it only attempts a completely random jump 1/4 of
   the time), many of its infected hosts are actually out of the
   purview of many attackers (at least, those that aren't on cable
   modems themselves in 24/8). by publishing a list of Nimda hits
   you've seen, you're basically handing out a map of the vulnerable
   houses in your own neighborhood, inviting trouble (do you really
   want your local bandwidth to be wasted on massive DDoS floods?).

3. to clean things up, we (as a community) need to act in a
   coordinated fashion. if you have your own lists of infected hosts,
   please, send them to your local CERT to deal with. why bother with
   tracking down contacts for thousands of IPs yourself? let someone
   else deal with the bureaucracy, that's what they're there for.

think community police, not lynch mob. :-)

-d.

---
http://www.monkey.org/~dugsong/

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Publishing Nimda Logs == BAD IDEA
    ... IPs ... many of its infected hosts are actually out of the ... if you have your own lists of infected hosts, ... think community police, not lynch mob. ...
    (Vuln-Dev)
  • Publishing Nimda Logs == BAD IDEA
    ... IPs ... many of its infected hosts are actually out of the ... if you have your own lists of infected hosts, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Tracking down the still infected hosts
    ... Tracking down the still infected hosts ... server, within the firewall, is running SecureIIS. ... It's stuff like this that makes the SecurityFocus mailing lists so darn ...
    (Incidents)
  • Re: Consequences? OT wasFw: Royalty for Commoners
    ... addressed; sorry; you have not been rude to me and I do not wish to be ... education. ... Is this to be a forum of professionals, who would not make such errors ... a subject that I've seen raised on a few software development lists ...
    (soc.genealogy.medieval)
  • RE: Sorbs.net DNS Blacklist
    ... Some of the lists are impossible to get off, ... University program offers unparalleled Infosec management education and the ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)