[Dshield] Worms dodge Internet sensors

Kevin kkadow at gmail.com
Fri Aug 5 20:58:35 GMT 2005


On 8/5/05, Johannes B. Ullrich <jullrich at euclidian.com> wrote:
> Other then that, what is the actual harm in someone avoiding networks
> with our sensors?

One argument might be that if the black hats know which networks report
sensor activity, they can either manually avoid using those networks when
executing the initial manual infection with a new worm (to avoid pinpointing
of "patient zero" in a new outbreak) or can use that information as a snapshot
or in realtime to program "slow" scanning worms to avoid detection during the
initial phases of infection.

Jonathan Wignall has been talking about slow worms for a few years now,
and I got into an argument with 'IcE tRe" about these at DC12,
http://tinyurl.com/dhldz aka
http://www.defcon.org/images/defcon-12/dc-12-presentations/Ice_tRe/dc-12-icetRe.ppt


> Essentially, they would exclude a good chunk of the
> Internet from being attacked by the worm, which in turn would make for
> much less successful worms.
>
> We do receive reports from about 500-700k IP addresses each day.

Perhaps I can use this argument with management to justify configuring
a sensor on the primary ingress points.  That'd add 200k IP addresses :)

> Including the full list would be hard (or make for a very large worm).
> In addition, many of these IPs are dynamic, so you have to exclude
> networks rather then individual IPs.

By using the same summarization techniques as routing protocols,
the list of networks containing sensors could probably be boiled down
to a relatively small hash table, particularly if you ignore the problem
of  hash collisions (Yes, the worm might end up avoiding some parts
of the Internet which don't contain any sensors, but map to the same
hash value as parts which do).


> To put it down bluntly: If every IP is a sensor, there is nobody left to
> attack ;-)
> 
> I don't agree with the papers suggestion to delay or hold back
> information from the general public. 

It could be worthwhile to exclude data for a port when that traffic is only
seen at just one sensor, as that would tend to indicate a targeted attack
against a specific individual or enterprise?


> There are already some random
> delays due to different users submission schedules. In general, the idea
> of DShield is to share data openly, and this is the only way we are ever
> going to "win". Probably the most dangerous thing you can do to your
> network is to lock yourself in a closet and to come up with your secret
> "network protection scheme". Malware has gotten as good as it is now
> because malware authors are sharing. The only way to win is to out-share
> them.

To quote Paul Marsh "Well said Johannes."

Now how do I arrange for your to get on a conference call and
explain this to our corporate management?


Kevin Kadow



More information about the list mailing list