[Dshield] Re: Fighting CR2

Scott Johnson scott at advancedtool.com
Fri Aug 10 15:03:30 GMT 2001

On behalf of those of us home users with a clue.. It's this sort of knee 
jerk reaction that's causing us to get hurt.  Rather than send a hoard of 
armadillo.. er  programmers to write up the scripting to block this kind of 
traffic, they're just filtering all inbound port 80.

Now, while I believe I'm in the minority.. not just home user with a clue, 
but user with a clue period...  I also believe that education is the manner 
in which to handle this.. not heavy handed "We're not going to let this 
through" methods.

Beyond that,  sending a couple thousand "Your client attacked my system" 
emails will most certainly gain their attention and they will definitely 
take care of it.. look at AT&T.  They just blocked port 80 inbound.  Now 
you're all thinking "cool!"  except I might note that it didn't stop the 
infected servers from being infected.. or spreading it.. just stopped the 
ones that missed out (all none of them) from being infected, and stopped 
those infected from being exploited.  Didn't help the bandwidth a lot.. 
just p*ssed off a whole lot of generally competent people.   Those folks 
that aren't patched probably don't realize they've got IIS running.. and 
well.. lets face it.. won't notice that inbound 80 is being blocked 
either.. they're going to happily go on about browsing their porn and 
downloading from morpheus/napster et al.

I believe Johannes suggestion is by and large the most positive.  Save a 
list.. send it to them that way.. let them deal with the individuals rather 
than killing off the entire port base because they're sick of getting the 
individual emails.  We're doing our part here by sharing the information 
and protecting ourselves.. Some are doing more by trying to educate those 
users they can.  Others.. I'm sorry to admit are turning red in the face 
and spending far too much time trying to kick the other guy in the 
groin.  I personally wish I had that kinda free time.


>organisations who's sole purpose is monitoring traffic. They have the
>capacity to 'see' the contents of _every_ packet pushed over the internet -
>so why can't they talk to the major ISP's or do it themselves - and to write
>filters that watch for the specific http call, in this case default.ida, and
>simply filter it out?
>Well, at least the ISPs could do it anyway.
  *more snipping*

More information about the list mailing list