Vulnerability Development mailing list archives
Re: Publishing Nimda Logs == BAD IDEA
From: De Velopment <devel () www2 kparker org>
Date: Wed, 8 May 2002 17:50:25 -0700 (PDT)
Dug, I have to agree with your assessment, especially based on one of your points. On Wed, 8 May 2002, Dug Song wrote (in part):
2. such a list would only benefit remote attackers. because Nimda is fairly localized (it only attempts a completely random jump 1/4 of the time), many of its infected hosts are actually out of the purview of many attackers (at least, those that aren't on cable modems themselves in 24/8). by publishing a list of Nimda hits you've seen, you're basically handing out a map of the vulnerable houses in your own neighborhood, inviting trouble (do you really want your local bandwidth to be wasted on massive DDoS floods?).
There is another angle to this. Since the typical DSL or Cable Modem service these days uses a Dynamic IP via DHCP, the host that attacked you yesterday could be on a different IP today. And if you took that IP from yesterday and published it, a different system altogether (that may be completely clean and patched or not even running a Microsoft operating system) may be on that IP today. The only valid use of the log entries in a Dynamic IP range is to give the entries, including the time, to the DSL or Cable Modem provider, so they can compare the entry to their signon logs and then they can notify (and possibly take action against) the subscriber who is "on the attack". By the way, I'm speaking as one who is on the PacBell ADSL service and, yes, we still have unpatched IIS servers "on the attack" here. Best regards, Ken Parker (devel () www2 kparker org)
Current thread:
- Publishing Nimda Logs == BAD IDEA Dug Song (May 08)
- Re: Publishing Nimda Logs == BAD IDEA De Velopment (May 08)
- Re: Publishing Nimda Logs == BAD IDEA Deus, Attonbitus (May 09)
- Re: Publishing Nimda Logs == BAD IDEA Dug Song (May 09)
- <Possible follow-ups>
- RE: Publishing Nimda Logs == BAD IDEA Rob Keown (May 08)