[Dshield] Thanks to Dshield and ISC

Johannes B. Ullrich jullrich at sans.org
Thu Jan 5 15:47:28 GMT 2006

Thanks for all the support !

  Just to answer a few of the questions that came up over the last
couple days.

  First of all, the only reason why we can respond quickly is that we
got the greatest group of volunteers money can't buy. The handlers (we
got about 30 right now) have spent most of the holiday weekend working
this issue. Its a great diverse group, and its amazing how it can stick
together. Recently, I tried to streamline our e-mail stuff a bit, and I
got about a dozen different opinions from them how to do it, many of
which excluded each other, so I left it "as is". On the other hand, if
something like the WMF issue comes up, everybody pulls into the same
direction and provides their unique expertise to help out.

  Another important reason for us to work efficiently is that we operate
directly and to some extend are our own audience. There is no PR
department or editor. And there isn't even a spell checker as some of
you pointed out on occasion. Our handlers "work the issues" in their day
jobs and what you read is part of what they found to work for them.

  The thing that amazes me is how people turn our open and frank reports
into trust. I think people just are sick and tired of marketing speak.
So far, we got about 250,000 downloads of the temporary patch.

  I don't like to publish an "unofficial patch". But the situation
didn't give us another choice. I do believe in patching system before
most of them are exploited. We do see reports about botnets of up to 1
Million hosts getting assembled with this patch. Not sure if anybody
here got the "piano" e-mail yesterday. It was an easy scenario as far as
this vulnerability is concerned: You had to click on a link to get to an
image, which of course was the corrupt WMF image. From what we heard,
this e-mail was send to 5 Million people, 50,000 of which (1%) ended up
in the botnet channel. The 5 Million doesn't account for invalid e-mail
addresses. And the particular version of the exploit was detected by AV

  On the more boring technical/backend site of things: We are of course
struggling somewhat keeping the site up. Our visitor number exceed 10
times the norm. We did setup a second web server, and load balanced.
Looks like this keeps things moving. The patch is served from a third
system in a different location (as it doesn't require database access).
I am working on getting more systems up. Overall, I think we will move
to a system where we have a couple of reverse proxies pointing to the
same main site. This should keep things easy to manage and dynamic as I
can add/remove IPs for load balancing. The load on our main web server
exceeded 200 at times. This server is doing a couple of other things,
like handling this mailing list, which suffered as a result.

  You can always check http://www.dshield.org/status.php to see how the
main web server is doing (this may answer some delayed confirmation
emails). I will try to catch up on replying to email sometime this week ;-)

Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060105/a64c8a3d/signature.bin

More information about the list mailing list