OK.. Seems to me that under the circumstances, since they're willing to disconnect that host from the internet (any rational ISP would be), that replacing it with a /32 route to a honeypot created by the ISP would not be that difficult. Sure, it's unlikely that 100% of the ISPs could do it in the time required, but, even if you gust got the top 3 or so on the worm's hit list, it would have a significant impact. If you got 10, then the surprise would be no more than 50% effective. Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation. Owen --On Friday, August 22, 2003 1:39 PM -0500 "Beprojects.com" <info@beprojects.com> wrote:
So who's going to do that? There are 20 machines on 20 different networks covering the US, Canada and parts of Asia (from what I've read). Each network would have to contact the individual user and ask permission to put a honeypot on their IP and that's not going to happen in the next 30 minutes.
----- Original Message ----- From: "Owen DeLong" <owen@delong.com> To: <jdawson@flexpop.net>; <nanog@merit.edu>; <Jaana.Sirkia@f-secure.com> Sent: Friday, August 22, 2003 1:27 PM Subject: Re: Sobig.f surprise attack today
OK... Maybe I'm smoking crack here, but, if they have the list of 20 machines, wouldn't it make more sense to replace them with honey-pots that download code to remove SOBIG instead of just disabling them?
Let's use the virus against itself. At this point, I think that's a legitimate countermeasure.
Owen
--On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson <jdawson@navi.net> wrote:
F-Secure Corporation is warning about a new level of attack to be unleashed by the Sobig.F worm today. Supposed to take place at 1900 UTC.
http://www.f-secure.com/news/items/news_2003082200.shtml
Jim --
See what ISP-Planet is saying about us! http://isp-planet.com/services/wholesalers/flexpop.html __________________________________________________________________ Jim Dawson jdawson@flexpop.net Flexpop/Navi.Net http://www.flexpop.net 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 Portland, Or 97209 USA f. +1.503.517.8868 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Fri, 22 Aug 2003, Owen DeLong wrote:
Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation.
I seriously doubt that most (any?) ISP would be willing to accept the legal liability for altering anything on the computer of a third party that just happened to connect to an IP in a netblock they are responsible for. White worms are an elegant engineering concept, but have little practical value (and huge risk) outside of networks that you control directly. Doug -- "You're walkin' the wire, pain and desire. Looking for love in between." - The Eagles, "Victim of Love"
Again, I am not proposing a worm. Simply a cleaner that would neuter the worm that connected. What I am proposing would _ONLY_ provide software that, if the connecting client chose to execute it, would neuter the worm on the connecting client that executed it. Nothing that would worm to other computers from there. That's high risk. Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist based on such connections to a honeypot. Any system which made the correct request could then have it's address published via BGP or DNS for ISPs and the like to do as they wish. Again, I don't propose or advocate actively tampering with other peoples systems. However, if someone comes to my website and asks for executable code, then executes it, I do not feel that it is my responsibility to provide them code which will not alter the contents of their system. I also don't feel it is my responsibility to determine if their request came from a human authorized to use the computer or a worm. Owen --On Friday, August 22, 2003 4:54 PM -0700 Doug Barton <DougB@dougbarton.net> wrote:
On Fri, 22 Aug 2003, Owen DeLong wrote:
Sure, it won't happen in 30 minutes, but, I don't understand why this wasn't started when F-Secure first noticed the situation.
I seriously doubt that most (any?) ISP would be willing to accept the legal liability for altering anything on the computer of a third party that just happened to connect to an IP in a netblock they are responsible for. White worms are an elegant engineering concept, but have little practical value (and huge risk) outside of networks that you control directly.
Doug
-- "You're walkin' the wire, pain and desire. Looking for love in between."
- The Eagles, "Victim of Love"
On Thu, 28 Aug 2003, Owen DeLong wrote:
Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist based on such connections to a honeypot. Any system which made the correct request could then have it's address published via BGP or DNS for ISPs and the like to do as they wish.
an infected host dnsrbl doesnt sound like a bad idea... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
At 12:54 PM 28/08/2003 -0700, Dan Hollis wrote:
Alternatively, perhaps we could, instead, publish an INFECTED SYSTEMS blacklist based on such connections to a honeypot. Any system which made the correct request could then have it's address published via BGP or DNS for ISPs and the like to do as they wish.
an infected host dnsrbl doesnt sound like a bad idea...
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way. ---Mike
Mike Tancsa wrote:
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.
This is an artifact of ISP´s wanting to have static IP´s as an add-on premium service so they provide short lease times and change IP as often as it´s feasible without interrupting service unneccessarily. Pete
At 11:14 PM 28/08/2003 +0300, Petri Helenius wrote:
Mike Tancsa wrote:
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.
This is an artifact of ISP´s wanting to have static IP´s as an add-on premium service so they provide short lease times and change IP as often as it´s feasible without interrupting service unneccessarily.
Huh ? This is an artifact of the way PM3s and MAX 6096s work with respect to how IP addresses are assigned out of pools.... i.e. this is the default behaviour. The same goes for our DSL pool. ---Mike
On Thursday 28 August 2003 04:24 pm, Mike Tancsa wrote:
At 11:14 PM 28/08/2003 +0300, Petri Helenius wrote:
Mike Tancsa wrote:
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.
This is an artifact of ISP´s wanting to have static IP´s as an add-on premium service so they provide short lease times and change IP as often as it´s feasible without interrupting service unneccessarily.
Huh ? This is an artifact of the way PM3s and MAX 6096s work with respect to how IP addresses are assigned out of pools.... i.e. this is the default behaviour. The same goes for our DSL pool.
---Mike
It isn't about wanting to charge more for a static ip per sea, it is more about efficient use of address space. If I have 10K dialup customers, if I go to arin and ask for a /18 so each one of my dialup customers can have a static ip, what do you think the response is going to be? -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key fingerprint = 8F70 6306 F0A7 B8DA BA95 76C4 606A 7DC1 370D 752C One picture is worth 128K words.
Thus spake Petri Helenius (pete@he.iki.fi) [28/08/03 16:23]:
I dont think this would work too well. The users who are infected often think something is wrong because their connection and computer are not working quite right. So they disconnect / reconnect / reboot so they burn through quite a few dynamic IP addresses along the way.
This is an artifact of ISP?s wanting to have static IP?s as an add-on premium service so they provide short lease times and change IP as often as it?s feasible without interrupting service unneccessarily.
Or potentially an artifact of wanting more IP space from ARIN, as opposed to assigning a static IP to every user we have, even the ones that are only connected for about an hour a month. But hey, that's just a minor detail.
Damian Gerow wrote:
Or potentially an artifact of wanting more IP space from ARIN, as opposed to
assigning a static IP to every user we have, even the ones that are only connected for about an hour a month. But hey, that's just a minor detail.
Sorry for momentarily phasing to our local la-la-land where the address space used by always-on connections has passed the dialup ones a few years ago. Dialup users also cannot generate any significant DDoS traffic even if combined by a factor of 10000. Pete
At 11:47 PM 28/08/2003 +0300, Petri Helenius wrote:
connections has passed the dialup ones a few years ago. Dialup users also cannot generate any significant DDoS traffic even if combined by a factor of 10000.
a)http://www.acm.org/sigcomm/sigcomm2003/papers.html#p75-kuzmanovic b)Trinity v3/Stacheldraht can do wonders against the CPU of many cisco routers c)'dialup' and the way IPs are handed out are often the same for DSL users who connect on demand. d)See the recent thread on rebooting TNTs and 5300s.... ---Mike
participants (7)
-
Damian Gerow
-
Dan Hollis
-
Doug Barton
-
Mike Tancsa
-
Owen DeLong
-
Patrick Muldoon
-
Petri Helenius