[Dshield] Here's a good idea

Johannes B. Ullrich jullrich at sans.org
Tue Apr 20 07:43:34 GMT 2004

> > cmdblock: A tool that scans Apache logs and adds IIS exploiters to an
> > iptable ruleset.
> You definitely want to be careful using "auto-blockers" like this. 

In particular if you are blocking Code Red exploited systems. Not much
point in doing so. First of all, if you are actually vulnerable, its 
to late. Secondly, the chances of blocking some innocent proxy server
and with it a larger network are high (not all proxy servers add 
respective headers).

Blocking only makes sense if you expect further and worse attacks from
this system. Cleaning your Apache logs from Code Red / Nimda hits 
doesn't improve your security.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040420/a2bf24ee/attachment.bin

More information about the list mailing list