Re: Publishing Nimda Logs

["Thomas Frerichs" <tfrerich () shiboleth net>]

I vote for Number 3...and then follow with a diatribe.

Deus, Attonbitus" wrote:

>   1) Recommended. Go for it and publish the IP's and let the "Gods of IP"
>   sort out the damage.
>   2) A Bad Thing. These are innocent victims, and you will just have them
be
>   attacked by evil people.
>   3) Boring. Who cares? It's Nimda, and an everyday part of life. Deal
with
>   it and ignore the logs.

First, consider the impact of Nimda (and CodeRed) on your server. If you are
running Apache or patched IIS, then the only practical effect is filling
your log file with stupid requests and the skewing of log analysis results.
It is trivial to /dev/null Nimda junk with Apache, so the cost is modifying
your httpd.conf file. I suppose you could suffer some sort of performance
hit, but I seriously doubt the magnitude of that problem.  If you are
running an unpatched IIS server, then you could get infected. In that case
you are also an idiot, but that's your problem.

Next, consider the benefits of publishing infected IPs. It'll make you feel
good, somewhat like shouting defiance at a blizzard or holding the tide back
by command. Other than that there are no benefits for several reasons. Those
infected are very unlikely to look at such a list. If they had enough savvy
to check for their machine--and many wouldn't even know their IP--they would
have had enough sense to patch their machine in the first place. There's
been some discussion about blackholing these addresses. Considering that
many of these infected machines use DSL or cable modems and are assigned IPs
by DHCP, it would be possible to block a legitimate user unlucky enough to
lease an address earlier assigned to an infected machine. Besides, what kind
of performance hit would you suffer blackholing infected IPs? Even if you
did blackhole these addresses what would you gain?

There's been a lot of discussion about the responsibility of ISPs. Yes, it
would be nice if abuse () myisp net would respond with something other than
silence or an auto-generated message. However, consider what an ISP gains by
taking action on such a complaint. They would need a far larger staff to
address the issue, which costs money; and they can't make a dime off of
correcting something that truly has a minimal impact on their network. In
other words, it costs them money without gaining them anything.

Some cable modem ISPs blocked incoming port 80 traffic when Nimda first hit.
Their TOS prohibited their customers from running a server, so they were
justified in this action; but they quickly stopped the practice because some
of their customers screamed bloody murder. This really is just an example of
a larger mindset. ISPs don't want to be in the business of monitoring the
content that flows through their network. Either their customers will
complain if they are too protective; or they may become liable if they fail
to catch the next version of Nimda.

There's been a lot of Microsoft bashing, but I think that the criticisms are
misplaced. Patches to correct the problem were out long before the attacks,
and MS is not alone in putting out vulnerable software. If it were only
Microsoft's problem, then why am I getting constant sshd probes? Most MS
servers don't have Secure Shell installed. And let's not forget wu-ftp.
(grin)

Microsoft's main failure is not in putting out buggy software; instead it's
in creating an expectation of "set it up and forget it" on the part of their
users. For most Windows users, trying to find out about security problems
requires substantial work, and they weren't told that they should worry
about it in the first place. BTW, some Linux distributions are getting close
to creating the same kind of environment among their naive users.

I think the most important lesson that could be learned from Nimda is that
many software producers, ISPs, and those in the security community are
clueless when it comes to working with common users. Companies like
Microsoft fail to educate their consumers how to learn about security risks
and why they should bother to check. I can understand why. No one wants to
trumpet their failures, and security vulnerabilities are perceived as major
failures.

ISPs rarely inform their customers about security vulnerabilities, and
although I understand their desire to keep their customers anonymous it
should be possible to automatically notify their customers when a complaint
has been made.

Then we come to the security community, and boy! are we really clueless.
"Buffer overflow vulnerability" means something to the people on this list,
but it doesn't mean a thing to the average user. Until vulnerability
notifications are written in language that the naive user can understand,
then we shouldn't expect them to act on them. Until we can write so that Joe
Windows User with his cable modem can appreciate his personal risk, we will
be spitting into the wind.

Consider how the dangers of Nimda were first published. There were a batch
of stories about how Nimda could bring the Internet to its knees. Very few
of those stories added something like, "Oh, yes. And if you get infected
almost any half-trained idiot can add, delete, or read any file on your
computer." Joe User isn't nearly as concerned about excess traffic--so long
as he can surf to his favorite sites--as he is about somebody scanning his
personal documents, yet news stories about Nimda were dominated by the
effects of the worm on the entire Internet. Let's be honest. As marketers
most security people make good doorstops.

Tom Frerichs


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com