Dug, I have to agree with your assessment, especially based on one of your points. On Wed, 8 May 2002, Dug Song wrote (in part): > 2. such a list would only benefit remote attackers. because Nimda is > fairly localized (it only attempts a completely random jump 1/4 of > the time), many of its infected hosts are actually out of the > purview of many attackers (at least, those that aren't on cable > modems themselves in 24/8). by publishing a list of Nimda hits > you've seen, you're basically handing out a map of the vulnerable > houses in your own neighborhood, inviting trouble (do you really > want your local bandwidth to be wasted on massive DDoS floods?). There is another angle to this. Since the typical DSL or Cable Modem service these days uses a Dynamic IP via DHCP, the host that attacked you yesterday could be on a different IP today. And if you took that IP from yesterday and published it, a different system altogether (that may be completely clean and patched or not even running a Microsoft operating system) may be on that IP today. The only valid use of the log entries in a Dynamic IP range is to give the entries, including the time, to the DSL or Cable Modem provider, so they can compare the entry to their signon logs and then they can notify (and possibly take action against) the subscriber who is "on the attack". By the way, I'm speaking as one who is on the PacBell ADSL service and, yes, we still have unpatched IIS servers "on the attack" here. Best regards, Ken Parker (develat_private) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 09 2002 - 09:26:02 PDT