Extremely well put. The solutions are education and continued evolution of AV and IDS technologies (to name a few). Education for the uninformed. How about some television commercials funded by a consortium of security companies, etc. A web clearinghouse for the non-saavy users (there are ones out there now but they need to be promoted). There are probably many other good ideas, along with some responsible journalism. -----Original Message----- From: Dug Song [mailto:dugsongat_private] Sent: Wednesday, May 08, 2002 2:27 PM To: incidentsat_private; vuln-devat_private Subject: Publishing Nimda Logs == BAD IDEA for those of you who have asked: the presentation i gave at CanSecWest is a preliminary dump of the data we'll be presenting at the FIRST conference next month. both the presentation and the updated research report will be made available from the Arbor website at that time. we will NOT, however, be publishing a comprehensive list of infected IPs (we have over 5 million of them, since September 2001). here are the reasons why: 1. such a list would be useless to the general public. NOBODY in their right mind would try to block all the individual IPs in such a list, for they change far too much, and are far too widely distributed to effect useful filters. these worm infection attempts are more of a nuisance than a threat to sites that would actually block them, anyway - so the ORBS/RBL analogy is pretty weak. 2. such a list would only benefit remote attackers. because Nimda is fairly localized (it only attempts a completely random jump 1/4 of the time), many of its infected hosts are actually out of the purview of many attackers (at least, those that aren't on cable modems themselves in 24/8). by publishing a list of Nimda hits you've seen, you're basically handing out a map of the vulnerable houses in your own neighborhood, inviting trouble (do you really want your local bandwidth to be wasted on massive DDoS floods?). 3. to clean things up, we (as a community) need to act in a coordinated fashion. if you have your own lists of infected hosts, please, send them to your local CERT to deal with. why bother with tracking down contacts for thousands of IPs yourself? let someone else deal with the bureaucracy, that's what they're there for. think community police, not lynch mob. :-) -d. --- http://www.monkey.org/~dugsong/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 08 2002 - 21:41:59 PDT