Re: Publishing Nimda Logs

From: Thomas Frerichs (tfrerichat_private)
Date: Wed May 08 2002 - 10:40:24 PDT

  • Next message: Steve Zenone: "RE: Publishing Nimda Logs"

    I vote for Number 3...and then follow with a diatribe.
    Deus, Attonbitus" wrote:
    >   1) Recommended. Go for it and publish the IP's and let the "Gods of IP"
    >   sort out the damage.
    >   2) A Bad Thing. These are innocent victims, and you will just have them
    >   attacked by evil people.
    >   3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal
    >   it and ignore the logs.
    First, consider the impact of Nimda (and CodeRed) on your server. If you are
    running Apache or patched IIS, then the only practical effect is filling
    your log file with stupid requests and the skewing of log analysis results.
    It is trivial to /dev/null Nimda junk with Apache, so the cost is modifying
    your httpd.conf file. I suppose you could suffer some sort of performance
    hit, but I seriously doubt the magnitude of that problem.  If you are
    running an unpatched IIS server, then you could get infected. In that case
    you are also an idiot, but that's your problem.
    Next, consider the benefits of publishing infected IPs. It'll make you feel
    good, somewhat like shouting defiance at a blizzard or holding the tide back
    by command. Other than that there are no benefits for several reasons. Those
    infected are very unlikely to look at such a list. If they had enough savvy
    to check for their machine--and many wouldn't even know their IP--they would
    have had enough sense to patch their machine in the first place. There's
    been some discussion about blackholing these addresses. Considering that
    many of these infected machines use DSL or cable modems and are assigned IPs
    by DHCP, it would be possible to block a legitimate user unlucky enough to
    lease an address earlier assigned to an infected machine. Besides, what kind
    of performance hit would you suffer blackholing infected IPs? Even if you
    did blackhole these addresses what would you gain?
    There's been a lot of discussion about the responsibility of ISPs. Yes, it
    would be nice if abuseat_private would respond with something other than
    silence or an auto-generated message. However, consider what an ISP gains by
    taking action on such a complaint. They would need a far larger staff to
    address the issue, which costs money; and they can't make a dime off of
    correcting something that truly has a minimal impact on their network. In
    other words, it costs them money without gaining them anything.
    Some cable modem ISPs blocked incoming port 80 traffic when Nimda first hit.
    Their TOS prohibited their customers from running a server, so they were
    justified in this action; but they quickly stopped the practice because some
    of their customers screamed bloody murder. This really is just an example of
    a larger mindset. ISPs don't want to be in the business of monitoring the
    content that flows through their network. Either their customers will
    complain if they are too protective; or they may become liable if they fail
    to catch the next version of Nimda.
    There's been a lot of Microsoft bashing, but I think that the criticisms are
    misplaced. Patches to correct the problem were out long before the attacks,
    and MS is not alone in putting out vulnerable software. If it were only
    Microsoft's problem, then why am I getting constant sshd probes? Most MS
    servers don't have Secure Shell installed. And let's not forget wu-ftp.
    Microsoft's main failure is not in putting out buggy software; instead it's
    in creating an expectation of "set it up and forget it" on the part of their
    users. For most Windows users, trying to find out about security problems
    requires substantial work, and they weren't told that they should worry
    about it in the first place. BTW, some Linux distributions are getting close
    to creating the same kind of environment among their naive users.
    I think the most important lesson that could be learned from Nimda is that
    many software producers, ISPs, and those in the security community are
    clueless when it comes to working with common users. Companies like
    Microsoft fail to educate their consumers how to learn about security risks
    and why they should bother to check. I can understand why. No one wants to
    trumpet their failures, and security vulnerabilities are perceived as major
    ISPs rarely inform their customers about security vulnerabilities, and
    although I understand their desire to keep their customers anonymous it
    should be possible to automatically notify their customers when a complaint
    has been made.
    Then we come to the security community, and boy! are we really clueless.
    "Buffer overflow vulnerability" means something to the people on this list,
    but it doesn't mean a thing to the average user. Until vulnerability
    notifications are written in language that the naive user can understand,
    then we shouldn't expect them to act on them. Until we can write so that Joe
    Windows User with his cable modem can appreciate his personal risk, we will
    be spitting into the wind.
    Consider how the dangers of Nimda were first published. There were a batch
    of stories about how Nimda could bring the Internet to its knees. Very few
    of those stories added something like, "Oh, yes. And if you get infected
    almost any half-trained idiot can add, delete, or read any file on your
    computer." Joe User isn't nearly as concerned about excess traffic--so long
    as he can surf to his favorite sites--as he is about somebody scanning his
    personal documents, yet news stories about Nimda were dominated by the
    effects of the worm on the entire Internet. Let's be honest. As marketers
    most security people make good doorstops.
    Tom Frerichs
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 14:45:03 PDT