[Dshield] Re: Fighting CR2
scott at advancedtool.com
Fri Aug 10 15:03:30 GMT 2001
On behalf of those of us home users with a clue.. It's this sort of knee
jerk reaction that's causing us to get hurt. Rather than send a hoard of
armadillo.. er programmers to write up the scripting to block this kind of
traffic, they're just filtering all inbound port 80.
Now, while I believe I'm in the minority.. not just home user with a clue,
but user with a clue period... I also believe that education is the manner
in which to handle this.. not heavy handed "We're not going to let this
Beyond that, sending a couple thousand "Your client attacked my system"
emails will most certainly gain their attention and they will definitely
take care of it.. look at AT&T. They just blocked port 80 inbound. Now
you're all thinking "cool!" except I might note that it didn't stop the
infected servers from being infected.. or spreading it.. just stopped the
ones that missed out (all none of them) from being infected, and stopped
those infected from being exploited. Didn't help the bandwidth a lot..
just p*ssed off a whole lot of generally competent people. Those folks
that aren't patched probably don't realize they've got IIS running.. and
well.. lets face it.. won't notice that inbound 80 is being blocked
either.. they're going to happily go on about browsing their porn and
downloading from morpheus/napster et al.
I believe Johannes suggestion is by and large the most positive. Save a
list.. send it to them that way.. let them deal with the individuals rather
than killing off the entire port base because they're sick of getting the
individual emails. We're doing our part here by sharing the information
and protecting ourselves.. Some are doing more by trying to educate those
users they can. Others.. I'm sorry to admit are turning red in the face
and spending far too much time trying to kick the other guy in the
groin. I personally wish I had that kinda free time.
>organisations who's sole purpose is monitoring traffic. They have the
>capacity to 'see' the contents of _every_ packet pushed over the internet -
>so why can't they talk to the major ISP's or do it themselves - and to write
>filters that watch for the specific http call, in this case default.ida, and
>simply filter it out?
>Well, at least the ISPs could do it anyway.
More information about the list