Re: Publishing Nimda Logs == BAD IDEA
From: Deus, Attonbitus (Thor@HammerofGod.com)Date: 05/09/02
- Previous message: Steve Vawter: "RE: Possible ZoneAlarm 3 Problem???"
- In reply to: Dug Song: "Publishing Nimda Logs == BAD IDEA"
- Next in thread: Dug Song: "Re: Publishing Nimda Logs == BAD IDEA"
- Reply: Dug Song: "Re: Publishing Nimda Logs == BAD IDEA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 09 May 2002 10:03:54 -0700 To: Dug Song <dugsong@monkey.org>, incidents@securityfocus.com, vuln-dev@securityfocus.com From: "Deus, Attonbitus" <Thor@HammerofGod.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 11:27 AM 5/8/2002, Dug Song wrote:
Not withstanding the veneration with which I hold you and your
accomplishments, I would like to make some counterpoints:
>we will NOT, however, be publishing a comprehensive list of infected
>IPs (we have over 5 million of them, since September 2001). here are
>the reasons why:
>
>1. such a list would be useless to the general public. NOBODY in their
> right mind would try to block all the individual IPs in such a
> list, for they change far too much, and are far too widely
> distributed to effect useful filters. these worm infection attempts
> are more of a nuisance than a threat to sites that would actually
> block them, anyway - so the ORBS/RBL analogy is pretty weak.
I don't recall the entire list blockage being proposed... Administrators
would be able to choose relevant netblocks to selectively act upon, and the
entire process could be easily automated. And while I agree that those
with the security mind-set required to know of the list and how to use it
would already be secured against the attack, I believe that the posture of
avoidance is stronger than that of defense. People would at least have a
choice of if and when they wanted to use the information. In this case, it
would be better to have the information and not need it than to need the
information and not have it.
>2. such a list would only benefit remote attackers. because Nimda is
> fairly localized (it only attempts a completely random jump 1/4 of
> the time), many of its infected hosts are actually out of the
> purview of many attackers (at least, those that aren't on cable
> modems themselves in 24/8). by publishing a list of Nimda hits
> you've seen, you're basically handing out a map of the vulnerable
> houses in your own neighborhood, inviting trouble (do you really
> want your local bandwidth to be wasted on massive DDoS floods?).
You are not evil, and you are not malicious, yet you have still collected
over 5 million infected IP's. Logic dictates that those who are evil and
malicious, and who place a much higher value on that information, would
have done the same. The future theoretical threat of a DDoS is mitigated
by the fact that the sources for such an attack would have already been
blackholed by those who chose to do so. Additionally, if an flood were to
occur, the aggregate information would have already been compiled, and
could be easily assembled by the ISP or admin to block the attacks as
opposed to building that data on the fly.
You already know what machines are attacking the rest of us, yet will not
publish that information based on the presumption that those with malicious
intent do not already have the information, and once they do, they will use
the information to make the machines that are already attacking us attack
us. I disagree with that logic.
>3. to clean things up, we (as a community) need to act in a
> coordinated fashion. if you have your own lists of infected hosts,
> please, send them to your local CERT to deal with. why bother with
> tracking down contacts for thousands of IPs yourself? let someone
> else deal with the bureaucracy, that's what they're there for.
If they were dealing with it appropriately, this thread would not have
started. The fact is that we are still under constant attack, and after
all the press, all the bulletins, and all the fury of activity surrounding
the publication of this information and the education of the user, it is
not working. Not only can I not count on other administrators to properly
set up their boxes, but I can't count on CERT to tell the ISP about it, and
I can't count on the ISP to take any further action. I can count on a Perl
script to blackhole someone.
What would be immensely valuable would be for you to offer a sign up option
where you can verify my contact information, and allow me to pull IP's for
my netblocks from your massive database in an automated fashion. At least
in this way we can see what will really happen rather than living in theory.
Thanks for your posts, Dug.
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPNqr+ohsmyD15h5gEQLbUgCfYOFROEircDJ9z8sMqhmCfBA9haEAn2tT
BSuJF1dUZaNWk1Qw1+msUtLl
=I37Y
-----END PGP SIGNATURE-----
- Previous message: Steve Vawter: "RE: Possible ZoneAlarm 3 Problem???"
- In reply to: Dug Song: "Publishing Nimda Logs == BAD IDEA"
- Next in thread: Dug Song: "Re: Publishing Nimda Logs == BAD IDEA"
- Reply: Dug Song: "Re: Publishing Nimda Logs == BAD IDEA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
