Full Plate of Crow

[Alfred Huger <ah () securityfocus com>]

Well, for future referance, crow is for the most part terrible breakfast
food. It seems that the end is actually nigh and all my sarcasm has come
back to haunt me. Well, perhaps not.

People as you know, are seeing Code Red attacks on the increase although
it has yet to become a problem. If you look at the attack rates the
attacks seems alot faster than last time. We started seeing Code Red on
the 11th last time and it took several days though before it started
picking up steam en masse. Today however the rise seems alot more
effective. Still no snapping powerlines, major ISP's going down or general
digital chaos but we can always hold out hope for that later.

Something to note here, upsurges in port 80 probes and actually
identifying a Code Red attack are two differant things entirely. If you
are basing your attack stats off of firewall logs or simple access list
packet drops your stats might well be out to lunch. Keep in mind a
firewall is only telling it dropped a packet, not what was in the packet.
Alot of the people mailing me last night and this morning were sending
firewall logs, not IDS logs. Firewalls are great, I have on myself but you
see the problem is that they were not designed to be very inquisitive,
hece IDS's. So before you assume Code Red is massing at your border router
for an all out Iwo Jima no holds barred assualt - check your logs. Meaning
your IDS logs or web logs. Conjecture in times like this causes panic.
Panic is bad, unless of course you profit off of people panicking, which
some of us in the industry do.

Three people also mailed me asking about SANS's Incidents.org and their
front page showing (as of now) something like 8000+ hosts infected. So far
as I know Incidents.org (which is a good site) is pulling it's data from
Dshield.org (which is a really good site as well). Now Dshield so far as I
understand it gathers it's stats from a number of devices but it does not
do attack correlation. Meaning it does not actually make sense of the logs
outside of telling what was denied on what ports. So it could be saying
that 8000+ people have seen traffic dropped on port 80, or perhaps their
staff are going through the logs by hand (I pity them if this is the
case). Perhaps someone from one of those organizations can post and shed
some light on this for us.

Now lastly, the list is going to be reserved to Code Red traffic today so
if your posting other things (and many of you are) I will approve them
tommorow after some judicious moderation.

Cheers,
-al


VP Engineering
SecurityFocus.com
"Vae Victis"


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com