[Dshield] Worms dodge Internet sensors

Paul Marsh pmarsh at nmefdn.org
Fri Aug 5 18:03:14 GMT 2005

Well said Johannes. Once again and as always "you da man"

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Johannes B. Ullrich
Sent: Friday, August 05, 2005 1:55 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Worms dodge Internet sensors

Paul Marsh wrote:
> I wonder if they tried to contacted Johannes?
> http://news.zdnet.co.uk/internet/0,39020369,39212171,00.htm

The researchers that wrote the paper did contact me, and we did provide
some data for them. The ZDNet reporter did not contact me.

The one paragraph summary of the paper: If you send a packet to a hardly
ever hit port from a specific source to suspected DShield sensor, you
may be able to check the dshield reports to find out if the packet got
recorded. If it did, you know you hit a sensor. So nothing particular
new here. The paper does suggest some methods to speed this up.

Actually I think I responded to a problem someone was having with our
site (403 errors) that they may have hit some of our harvesting
triggers. So there is some protection against harvesting in place.

Other then that, what is the actual harm in someone avoiding networks
with our sensors? Essentially, they would exclude a good chunk of the
Internet from being attacked by the worm, which in turn would make for
much less successful worms.

We do receive reports from about 500-700k IP addresses each day.
Including the full list would be hard (or make for a very large worm).
In addition, many of these IPs are dynamic, so you have to exclude
networks rather then individual IPs.

To put it down bluntly: If every IP is a sensor, there is nobody left to
attack ;-)

I don't agree with the papers suggestion to delay or hold back
information from the general public. There are already some random
delays due to different users submission schedules. In general, the idea
of DShield is to share data openly, and this is the only way we are ever
going to "win". Probably the most dangerous thing you can do to your
network is to lock yourself in a closet and to come up with your secret
"network protection scheme". Malware has gotten as good as it is now
because malware authors are sharing. The only way to win is to out-share

The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.

More information about the list mailing list