Re: Publishing Nimda Logs == BAD IDEA

[De Velopment <devel () www2 kparker org>]

Dug,

   I have to agree with your assessment, especially based on
one of your points.

On Wed, 8 May 2002, Dug Song wrote (in part):

> 2. such a list would only benefit remote attackers. because Nimda is
>    fairly localized (it only attempts a completely random jump 1/4 of
>    the time), many of its infected hosts are actually out of the
>    purview of many attackers (at least, those that aren't on cable
>    modems themselves in 24/8). by publishing a list of Nimda hits
>    you've seen, you're basically handing out a map of the vulnerable
>    houses in your own neighborhood, inviting trouble (do you really
>    want your local bandwidth to be wasted on massive DDoS floods?).

   There is another angle to this.  Since the typical DSL or Cable
Modem service these days uses a Dynamic IP via DHCP, the host that
attacked you yesterday could be on a different IP today.  And if
you took that IP from yesterday and published it, a different system
altogether (that may be completely clean and patched or not even
running a Microsoft operating system) may be on that IP today.

   The only valid use of the log entries in a Dynamic IP range is
to give the entries, including the time, to the DSL or Cable Modem
provider, so they can compare the entry to their signon logs and
then they can notify (and possibly take action against) the
subscriber who is "on the attack".

   By the way, I'm speaking as one who is on the PacBell ADSL service
and, yes, we still have unpatched IIS servers "on the attack" here.

   Best regards,

        Ken Parker (devel () www2 kparker org)