[Dshield] Worms dodge Internet sensors

Johannes B. Ullrich jullrich at euclidian.com
Fri Aug 5 17:55:00 GMT 2005

Paul Marsh wrote:
> I wonder if they tried to contacted Johannes?
> http://news.zdnet.co.uk/internet/0,39020369,39212171,00.htm

The researchers that wrote the paper did contact me, and we
did provide some data for them. The ZDNet reporter did not
contact me.

The one paragraph summary of the paper: If you send a packet to a hardly
ever hit port from a specific source to suspected DShield sensor, you
may be able to check the dshield reports to find out if the packet got
recorded. If it did, you know you hit a sensor. So nothing particular
new here. The paper does suggest some methods to speed this up.

Actually I think I responded to a problem someone was having with our
site (403 errors) that they may have hit some of our harvesting
triggers. So there is some protection against harvesting in place.

Other then that, what is the actual harm in someone avoiding networks
with our sensors? Essentially, they would exclude a good chunk of the
Internet from being attacked by the worm, which in turn would make for
much less successful worms.

We do receive reports from about 500-700k IP addresses each day.
Including the full list would be hard (or make for a very large worm).
In addition, many of these IPs are dynamic, so you have to exclude
networks rather then individual IPs.

To put it down bluntly: If every IP is a sensor, there is nobody left to
attack ;-)

I don't agree with the papers suggestion to delay or hold back
information from the general public. There are already some random
delays due to different users submission schedules. In general, the idea
of DShield is to share data openly, and this is the only way we are ever
going to "win". Probably the most dangerous thing you can do to your
network is to lock yourself in a closet and to come up with your secret
"network protection scheme". Malware has gotten as good as it is now
because malware authors are sharing. The only way to win is to out-share

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050805/66eb3c01/signature.bin

More information about the list mailing list