nanog mailing list archives
Re: Sobig.f surprise attack today
From: Owen DeLong <owen () delong com>
Date: Fri, 22 Aug 2003 12:51:14 -0700
OK.. Seems to me that under the circumstances, since they're willing to disconnect that host from the internet (any rational ISP would be), that replacing it with a /32 route to a honeypot created by the ISP would not be that difficult. Sure, it's unlikely that 100% of the ISPs could do it in the time required, but, even if you gust got the top 3 or so on the worm's hit list, it would have a significant impact. If you got 10, then the surprise would be no more than 50% effective. Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation. Owen--On Friday, August 22, 2003 1:39 PM -0500 "Beprojects.com" <info () beprojects com> wrote:
So who's going to do that? There are 20 machines on 20 different networks covering the US, Canada and parts of Asia (from what I've read). Each network would have to contact the individual user and ask permission to put a honeypot on their IP and that's not going to happen in the next 30 minutes. ----- Original Message ----- From: "Owen DeLong" <owen () delong com> To: <jdawson () flexpop net>; <nanog () merit edu>; <Jaana.Sirkia () f-secure com> Sent: Friday, August 22, 2003 1:27 PM Subject: Re: Sobig.f surprise attack todayOK... Maybe I'm smoking crack here, but, if they have the list of 20 machines, wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them? Let's use the virus against itself. At this point, I think that's a legitimate countermeasure. Owen --On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson <jdawson () navi net> wrote: > > F-Secure Corporation is warning about a new level of attack to be > unleashed by the Sobig.F worm today. Supposed to take place at 1900 > UTC. > > http://www.f-secure.com/news/items/news_2003082200.shtml > > Jim > -- > > See what ISP-Planet is saying about us! > http://isp-planet.com/services/wholesalers/flexpop.html > __________________________________________________________________ > Jim Dawson jdawson () flexpop net > Flexpop/Navi.Net http://www.flexpop.net > 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 > Portland, Or 97209 USA f. +1.503.517.8868 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >
Current thread:
- Re: Sobig.f surprise attack today, (continued)
- Re: Sobig.f surprise attack today Omachonu Ogali (Aug 22)
- RE: Sobig.f surprise attack today Randy Neals (ORION) (Aug 22)
- RE: Sobig.f surprise attack today Gary Attard (Aug 22)
- RE: Sobig.f surprise attack today Stephen J. Wilcox (Aug 22)
- Re: Sobig.f surprise attack today Andrew Kerr (Aug 22)
- Re: Sobig.f surprise attack today Jay Hennigan (Aug 22)
- Re: Sobig.f surprise attack today Andrew Kerr (Aug 22)
- Re: Sobig.f surprise attack today Omachonu Ogali (Aug 22)
- Re: Sobig.f surprise attack today Petri Helenius (Aug 22)
- Re: Sobig.f surprise attack today Jay Hennigan (Aug 22)
- Message not available
- Re: Sobig.f surprise attack today Owen DeLong (Aug 22)
- Re: Sobig.f surprise attack today Doug Barton (Aug 22)
- Re: Sobig.f surprise attack today Owen DeLong (Aug 28)
- Re: Sobig.f surprise attack today Dan Hollis (Aug 28)
- Re: Sobig.f surprise attack today Mike Tancsa (Aug 28)
- Re: Sobig.f surprise attack today Petri Helenius (Aug 28)
- Re: Sobig.f surprise attack today Mike Tancsa (Aug 28)
- Re: Sobig.f surprise attack today Patrick Muldoon (Aug 28)
- Re: Sobig.f surprise attack today Damian Gerow (Aug 28)
- Re: Sobig.f surprise attack today Petri Helenius (Aug 28)
- Re: Sobig.f surprise attack today Mike Tancsa (Aug 28)