Re: Publishing Nimda Logs == BAD IDEA

From: Dug Song (dugsongat_private)
Date: Thu May 09 2002 - 17:31:00 PDT

Next message: Marcell Fodor: "WU-imap server buffer overflow condition"

Previous message: Steve Zenone: "RE: whois tricks was : whois is what?"
In reply to: Deus, Attonbitus: "Re: Publishing Nimda Logs == BAD IDEA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 09, 2002 at 10:03:54AM -0700, Deus, Attonbitus wrote:

> Administrators would be able to choose relevant netblocks to
> selectively act upon, and the entire process could be easily
> automated... I believe that the posture of avoidance is stronger
> than that of defense.

the addresses are too distributed and dynamic for this to work.
you might as well disconnect from the Internet now... ;-)

> You are not evil, and you are not malicious, yet you have still collected 
> over 5 million infected IP's. Logic dictates that those who are evil and 
> malicious, and who place a much higher value on that information, would 
> have done the same.

most attackers who would actually launch a DDoS attack do not have the
luxury of monitoring an unused class A to collect zombies.

> The fact is that we are still under constant attack, and after all
> the press, all the bulletins, and all the fury of activity
> surrounding the publication of this information and the education of
> the user, it is not working.

don't believe the hype. we are not under constant attack, just
suffering an annoying level of noise. the real danger is that someone
actually amasses a list of infected hosts to use in a DDoS flood -
not that these hosts are simply knocking at our doors.

> Not only can I not count on other administrators to properly set up
> their boxes, but I can't count on CERT to tell the ISP about it, and
> I can't count on the ISP to take any further action.  I can count on
> a Perl script to blackhole someone.

this will prevent you from seeing spurious log entries, but will be of
no benefit in a sufficiently distributed attack. blackholing any host
that triggers an IDS alert on your borders would be roughly equivalent...

> What would be immensely valuable would be for you to offer a sign up option 
> where you can verify my contact information, and allow me to pull IP's for 
> my netblocks from your massive database in an automated fashion.

no need for our (stale?) data - just scan your own address range.

-d.

---
http://www.monkey.org/~dugsong/

Next message: Marcell Fodor: "WU-imap server buffer overflow condition"
Previous message: Steve Zenone: "RE: whois tricks was : whois is what?"
In reply to: Deus, Attonbitus: "Re: Publishing Nimda Logs == BAD IDEA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 09 2002 - 17:48:49 PDT