I vote for Number 3...and then follow with a diatribe. Deus, Attonbitus" wrote: > 1) Recommended. Go for it and publish the IP's and let the "Gods of IP" > sort out the damage. > 2) A Bad Thing. These are innocent victims, and you will just have them be > attacked by evil people. > 3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal with > it and ignore the logs. First, consider the impact of Nimda (and CodeRed) on your server. If you are running Apache or patched IIS, then the only practical effect is filling your log file with stupid requests and the skewing of log analysis results. It is trivial to /dev/null Nimda junk with Apache, so the cost is modifying your httpd.conf file. I suppose you could suffer some sort of performance hit, but I seriously doubt the magnitude of that problem. If you are running an unpatched IIS server, then you could get infected. In that case you are also an idiot, but that's your problem. Next, consider the benefits of publishing infected IPs. It'll make you feel good, somewhat like shouting defiance at a blizzard or holding the tide back by command. Other than that there are no benefits for several reasons. Those infected are very unlikely to look at such a list. If they had enough savvy to check for their machine--and many wouldn't even know their IP--they would have had enough sense to patch their machine in the first place. There's been some discussion about blackholing these addresses. Considering that many of these infected machines use DSL or cable modems and are assigned IPs by DHCP, it would be possible to block a legitimate user unlucky enough to lease an address earlier assigned to an infected machine. Besides, what kind of performance hit would you suffer blackholing infected IPs? Even if you did blackhole these addresses what would you gain? There's been a lot of discussion about the responsibility of ISPs. Yes, it would be nice if abuseat_private would respond with something other than silence or an auto-generated message. However, consider what an ISP gains by taking action on such a complaint. They would need a far larger staff to address the issue, which costs money; and they can't make a dime off of correcting something that truly has a minimal impact on their network. In other words, it costs them money without gaining them anything. Some cable modem ISPs blocked incoming port 80 traffic when Nimda first hit. Their TOS prohibited their customers from running a server, so they were justified in this action; but they quickly stopped the practice because some of their customers screamed bloody murder. This really is just an example of a larger mindset. ISPs don't want to be in the business of monitoring the content that flows through their network. Either their customers will complain if they are too protective; or they may become liable if they fail to catch the next version of Nimda. There's been a lot of Microsoft bashing, but I think that the criticisms are misplaced. Patches to correct the problem were out long before the attacks, and MS is not alone in putting out vulnerable software. If it were only Microsoft's problem, then why am I getting constant sshd probes? Most MS servers don't have Secure Shell installed. And let's not forget wu-ftp. (grin) Microsoft's main failure is not in putting out buggy software; instead it's in creating an expectation of "set it up and forget it" on the part of their users. For most Windows users, trying to find out about security problems requires substantial work, and they weren't told that they should worry about it in the first place. BTW, some Linux distributions are getting close to creating the same kind of environment among their naive users. I think the most important lesson that could be learned from Nimda is that many software producers, ISPs, and those in the security community are clueless when it comes to working with common users. Companies like Microsoft fail to educate their consumers how to learn about security risks and why they should bother to check. I can understand why. No one wants to trumpet their failures, and security vulnerabilities are perceived as major failures. ISPs rarely inform their customers about security vulnerabilities, and although I understand their desire to keep their customers anonymous it should be possible to automatically notify their customers when a complaint has been made. Then we come to the security community, and boy! are we really clueless. "Buffer overflow vulnerability" means something to the people on this list, but it doesn't mean a thing to the average user. Until vulnerability notifications are written in language that the naive user can understand, then we shouldn't expect them to act on them. Until we can write so that Joe Windows User with his cable modem can appreciate his personal risk, we will be spitting into the wind. Consider how the dangers of Nimda were first published. There were a batch of stories about how Nimda could bring the Internet to its knees. Very few of those stories added something like, "Oh, yes. And if you get infected almost any half-trained idiot can add, delete, or read any file on your computer." Joe User isn't nearly as concerned about excess traffic--so long as he can surf to his favorite sites--as he is about somebody scanning his personal documents, yet news stories about Nimda were dominated by the effects of the worm on the entire Internet. Let's be honest. As marketers most security people make good doorstops. Tom Frerichs ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 14:45:03 PDT