Re: "Nimda"?

[woods () weird com (Greg A. Woods)]

[ On Tuesday, February 26, 2002 at 18:30:32 (-0800), Jay D. Dyson wrote: ]
> Subject: Re: "Nimda"?
>
>       I've found that the best defense is a good offense, so I have an
> automated notification facility in place that acts as a decoy.  When
> either Code Red or Nimda hit my servers, the owner of the netblock is
> immediately notified that their systems are being used as an attack
> platform against other machines.

Your "best offence" is in fact a dangerous mechanism that could be
turned into a D.o.S. tool if it were poorly implemented and then widely
deployed through social engineering attempts (such as your message
above).

Please DO NOT EVER implement or deploy automated notification systems
without tightly integrating into them full summarisation features and
mechanisms to avoid sending more than one notification to a given
address at anything frequency more often than once per day, and
preferably no more often than once per week (esp. after the initial day
of a widespread infection).

Most everyone with any length of experience at this learned a very long
time ago, back in the days where helpful admins tried to notify their
colleagues of lame DNS delegations for one example, that such
distributed notification tools are far worse than the incidents they're
trying to report.

If you are not running a vulnerable server and yet you are reporting
probes like this to anything but a central monitoring service that has
explicitly requested your probes, then you are part of the problem, not
part of the solution.

As someone who receives e-mail addressed to such netblock contact
addresses I've found it necessary to block e-mail from some automated
notifiers lest my mailbox be flooded with such noise that prevents me
from dealing with the real issues.  I.e. if you flood me I will ignore
you.  Just be thankful I'm a good network neighbour I won't retaliate in
kind!

Don't cry "Wolf!" unless there's a _VERY_ real one breathing down your
neck right now.  If you want real action to resolve actual damages or to
stop an attack while it happens (that you cannot for whatever unlikely
reason block somehow on your end) then with the privacy laws like they
are today in most jurisdictions you'd best be prepared to go through the
proper authorities.

>  That tends to keep things like that down
> to a dull roar (unless you're dealing with negligent admins who just don't
> give a whoop).

You're sadly mistaken if you believe there's any guaranteed
correspondence between a netblock contact address and the owner of a
machine which might happen to be infected with some silly worm or virus.
If we had reason to search out all the infected machines in the
netblocks we answer for then we would have no problem doing it without
your help.  You are just getting in the way.

Regardless, silly ongoing noise like Nimbda and CodeRed notifcations,
especially after this much time since their initial release, is just
that -- silly, useless, noise.  Even if you don't flood me with
complaints about them then your one complaint will still go on the
bottom of the pile and it will only be dealt with if it should ever
manage to be the last thing in the pile, and thus become the top of the
pile.  Don't hold your breath.  I do not have the time of day to worry
about people who are either paranoid or revengeful about the likes of
Nimbda and CodeRed.  If you don't run a vulnerable system then kindly
ignore their probes, and if you do run a vulnerable system then either
pull your network plug(s) or fix your silly system(s) and then ignore
the probes!

-- 
                                                                Greg A. Woods

+1 416 218-0098;  <gwoods () acm org>;  <g.a.woods () ieee org>;  <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com