Vulnerability Development mailing list archives
Re: Publishing Nimda Logs == BAD IDEA
From: Dug Song <dugsong () monkey org>
Date: Thu, 9 May 2002 20:31:00 -0400
On Thu, May 09, 2002 at 10:03:54AM -0700, Deus, Attonbitus wrote:
Administrators would be able to choose relevant netblocks to selectively act upon, and the entire process could be easily automated... I believe that the posture of avoidance is stronger than that of defense.
the addresses are too distributed and dynamic for this to work. you might as well disconnect from the Internet now... ;-)
You are not evil, and you are not malicious, yet you have still collected over 5 million infected IP's. Logic dictates that those who are evil and malicious, and who place a much higher value on that information, would have done the same.
most attackers who would actually launch a DDoS attack do not have the luxury of monitoring an unused class A to collect zombies.
The fact is that we are still under constant attack, and after all the press, all the bulletins, and all the fury of activity surrounding the publication of this information and the education of the user, it is not working.
don't believe the hype. we are not under constant attack, just suffering an annoying level of noise. the real danger is that someone actually amasses a list of infected hosts to use in a DDoS flood - not that these hosts are simply knocking at our doors.
Not only can I not count on other administrators to properly set up their boxes, but I can't count on CERT to tell the ISP about it, and I can't count on the ISP to take any further action. I can count on a Perl script to blackhole someone.
this will prevent you from seeing spurious log entries, but will be of no benefit in a sufficiently distributed attack. blackholing any host that triggers an IDS alert on your borders would be roughly equivalent...
What would be immensely valuable would be for you to offer a sign up option where you can verify my contact information, and allow me to pull IP's for my netblocks from your massive database in an automated fashion.
no need for our (stale?) data - just scan your own address range. -d. --- http://www.monkey.org/~dugsong/
Current thread:
- Publishing Nimda Logs == BAD IDEA Dug Song (May 08)
- Re: Publishing Nimda Logs == BAD IDEA De Velopment (May 08)
- Re: Publishing Nimda Logs == BAD IDEA Deus, Attonbitus (May 09)
- Re: Publishing Nimda Logs == BAD IDEA Dug Song (May 09)
- <Possible follow-ups>
- RE: Publishing Nimda Logs == BAD IDEA Rob Keown (May 08)