Vulnerability Development mailing list archives

Re: Publishing Nimda Logs == BAD IDEA

From: Dug Song <dugsong () monkey org>
Date: Thu, 9 May 2002 20:31:00 -0400

On Thu, May 09, 2002 at 10:03:54AM -0700, Deus, Attonbitus wrote:

Administrators would be able to choose relevant netblocks to
selectively act upon, and the entire process could be easily
automated... I believe that the posture of avoidance is stronger
than that of defense.


the addresses are too distributed and dynamic for this to work.
you might as well disconnect from the Internet now... ;-)

You are not evil, and you are not malicious, yet you have still collected 
over 5 million infected IP's. Logic dictates that those who are evil and 
malicious, and who place a much higher value on that information, would 
have done the same.


most attackers who would actually launch a DDoS attack do not have the
luxury of monitoring an unused class A to collect zombies.

The fact is that we are still under constant attack, and after all
the press, all the bulletins, and all the fury of activity
surrounding the publication of this information and the education of
the user, it is not working.


don't believe the hype. we are not under constant attack, just
suffering an annoying level of noise. the real danger is that someone
actually amasses a list of infected hosts to use in a DDoS flood -
not that these hosts are simply knocking at our doors.

Not only can I not count on other administrators to properly set up
their boxes, but I can't count on CERT to tell the ISP about it, and
I can't count on the ISP to take any further action.  I can count on
a Perl script to blackhole someone.


this will prevent you from seeing spurious log entries, but will be of
no benefit in a sufficiently distributed attack. blackholing any host
that triggers an IDS alert on your borders would be roughly equivalent...

What would be immensely valuable would be for you to offer a sign up option 
where you can verify my contact information, and allow me to pull IP's for 
my netblocks from your massive database in an automated fashion.


no need for our (stale?) data - just scan your own address range.

-d.

---
http://www.monkey.org/~dugsong/

Current thread:

Publishing Nimda Logs == BAD IDEA Dug Song (May 08)
- Re: Publishing Nimda Logs == BAD IDEA De Velopment (May 08)
- Re: Publishing Nimda Logs == BAD IDEA Deus, Attonbitus (May 09)
  - Re: Publishing Nimda Logs == BAD IDEA Dug Song (May 09)
- <Possible follow-ups>
- RE: Publishing Nimda Logs == BAD IDEA Rob Keown (May 08)