[ On Tuesday, February 26, 2002 at 18:30:32 (-0800), Jay D. Dyson wrote: ] > Subject: Re: "Nimda"? > > I've found that the best defense is a good offense, so I have an > automated notification facility in place that acts as a decoy. When > either Code Red or Nimda hit my servers, the owner of the netblock is > immediately notified that their systems are being used as an attack > platform against other machines. Your "best offence" is in fact a dangerous mechanism that could be turned into a D.o.S. tool if it were poorly implemented and then widely deployed through social engineering attempts (such as your message above). Please DO NOT EVER implement or deploy automated notification systems without tightly integrating into them full summarisation features and mechanisms to avoid sending more than one notification to a given address at anything frequency more often than once per day, and preferably no more often than once per week (esp. after the initial day of a widespread infection). Most everyone with any length of experience at this learned a very long time ago, back in the days where helpful admins tried to notify their colleagues of lame DNS delegations for one example, that such distributed notification tools are far worse than the incidents they're trying to report. If you are not running a vulnerable server and yet you are reporting probes like this to anything but a central monitoring service that has explicitly requested your probes, then you are part of the problem, not part of the solution. As someone who receives e-mail addressed to such netblock contact addresses I've found it necessary to block e-mail from some automated notifiers lest my mailbox be flooded with such noise that prevents me from dealing with the real issues. I.e. if you flood me I will ignore you. Just be thankful I'm a good network neighbour I won't retaliate in kind! Don't cry "Wolf!" unless there's a _VERY_ real one breathing down your neck right now. If you want real action to resolve actual damages or to stop an attack while it happens (that you cannot for whatever unlikely reason block somehow on your end) then with the privacy laws like they are today in most jurisdictions you'd best be prepared to go through the proper authorities. > That tends to keep things like that down > to a dull roar (unless you're dealing with negligent admins who just don't > give a whoop). You're sadly mistaken if you believe there's any guaranteed correspondence between a netblock contact address and the owner of a machine which might happen to be infected with some silly worm or virus. If we had reason to search out all the infected machines in the netblocks we answer for then we would have no problem doing it without your help. You are just getting in the way. Regardless, silly ongoing noise like Nimbda and CodeRed notifcations, especially after this much time since their initial release, is just that -- silly, useless, noise. Even if you don't flood me with complaints about them then your one complaint will still go on the bottom of the pile and it will only be dealt with if it should ever manage to be the last thing in the pile, and thus become the top of the pile. Don't hold your breath. I do not have the time of day to worry about people who are either paranoid or revengeful about the likes of Nimbda and CodeRed. If you don't run a vulnerable system then kindly ignore their probes, and if you do run a vulnerable system then either pull your network plug(s) or fix your silly system(s) and then ignore the probes! -- Greg A. Woods +1 416 218-0098; <gwoodsat_private>; <g.a.woodsat_private>; <woodsat_private> Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 17:24:38 PST