Well, for future referance, crow is for the most part terrible breakfast food. It seems that the end is actually nigh and all my sarcasm has come back to haunt me. Well, perhaps not. People as you know, are seeing Code Red attacks on the increase although it has yet to become a problem. If you look at the attack rates the attacks seems alot faster than last time. We started seeing Code Red on the 11th last time and it took several days though before it started picking up steam en masse. Today however the rise seems alot more effective. Still no snapping powerlines, major ISP's going down or general digital chaos but we can always hold out hope for that later. Something to note here, upsurges in port 80 probes and actually identifying a Code Red attack are two differant things entirely. If you are basing your attack stats off of firewall logs or simple access list packet drops your stats might well be out to lunch. Keep in mind a firewall is only telling it dropped a packet, not what was in the packet. Alot of the people mailing me last night and this morning were sending firewall logs, not IDS logs. Firewalls are great, I have on myself but you see the problem is that they were not designed to be very inquisitive, hece IDS's. So before you assume Code Red is massing at your border router for an all out Iwo Jima no holds barred assualt - check your logs. Meaning your IDS logs or web logs. Conjecture in times like this causes panic. Panic is bad, unless of course you profit off of people panicking, which some of us in the industry do. Three people also mailed me asking about SANS's Incidents.org and their front page showing (as of now) something like 8000+ hosts infected. So far as I know Incidents.org (which is a good site) is pulling it's data from Dshield.org (which is a really good site as well). Now Dshield so far as I understand it gathers it's stats from a number of devices but it does not do attack correlation. Meaning it does not actually make sense of the logs outside of telling what was denied on what ports. So it could be saying that 8000+ people have seen traffic dropped on port 80, or perhaps their staff are going through the logs by hand (I pity them if this is the case). Perhaps someone from one of those organizations can post and shed some light on this for us. Now lastly, the list is going to be reserved to Code Red traffic today so if your posting other things (and many of you are) I will approve them tommorow after some judicious moderation. Cheers, -al VP Engineering SecurityFocus.com "Vae Victis" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 08:04:37 PDT