Publishing Nimda Logs - Summary

From: Deus, Attonbitus (Thorat_private)
Date: Wed May 08 2002 - 07:35:12 PDT

  • Next message: Glenn Forbes Fleming Larratt: "Re: Publishing Nimda Logs"

    Hash: SHA1
    First, I would like to thank everyone who took the time to reply, both 
    publicly and privately.  I appreciate the feedback.
    Vuln-Dev has been the most interactive with this thread, so if you have 
    more to add, please post to vuln-dev or privately to save on moderation.
    I would say that > 90% of all the responses support publishing the 
    list.  Many of those stipulated that I should warn people first, and only 
    post them after no action was taken.  Additional ideas were to post a 
    'history' of contacts and actions taken.  Some people are already posting 
    such a list, and many of you offered to post your own logs if I make it 
    available.  Many were also exuberant about it with "Hell Yeah!" type posts- 
    this speaks to the level of frustration out there.
    A very small majority of people, about 4%, said it was a Very Bad Idea as 
    blackhats could use the list as a source for DDoS host candidates.  I agree 
    with Jay Dyson and others in that this information is already easily 
    available to anyone with an Internet connection if that is what they are 
    looking for.  Just last November, Dug Song published papers showing that 
    Nimda probes, globally, were at "roughly 5 *billion* attempts per 
    day."  Anyone with half a clue that was looking for bots could actively 
    gather information in far greater quantities than what would be on my 
    list.  I can only imagine what the aggregate waste of bandwidth is at that 
    level!  I do not believe that withholding the list because it could be used 
    maliciously is valid.
    The rest, about 6% or so, said to ignore it, spend the time securing your 
    systems, or to just silently blackhole the offenders.
    Things learned:
    1) ARIN is reportedly a bad source, or at least, outdated source, of 
    contact info.
    2) Jay also has a *nix product called EarlyBird, which will look up the 
    contact info for you to email offenders.
    3) maintains information like this, and allows you to post 
    logs to them.
    4) Jonathan Bloomquist and others actively connect to offenders to send net 
    messages to the console.  Pretty cool.
    Next Step:
    I will probably proceed with my project, taking into account the 
    suggestions of the posters.  One thing now interests me more...
    In the vein of JBloomquist's post and another poster who said to 
    reverse-patch the systems, I am willing to peek into Pandora's Box and 
    explore that precise option-
    Waiting for an attack, and then reverse-patching the box.  Please don't 
    tell me about the legal ramifications- I don't care about that yet.  What I 
    would like to know is if anyone has such an animal, or how one would go 
    about reverse-patching an attacking system-- I can't write that code, but 
    would really like to try it out.
    Thanks to all for your help.
    Version: PGP 7.1
    -----END PGP SIGNATURE-----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 08:38:20 PDT