[61105] in North American Network Operators' Group
Re: Sobig.f surprise attack today
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Aug 22 15:55:07 2003
Date: Fri, 22 Aug 2003 12:51:14 -0700
From: Owen DeLong <owen@delong.com>
To: "Beprojects.com" <info@beprojects.com>, nanog@merit.edu
In-Reply-To: <096401c368dc$b7ac44c0$5470cd41@dellbert>
Errors-To: owner-nanog-outgoing@merit.edu
OK.. Seems to me that under the circumstances, since they're willing to
disconnect that host from the internet (any rational ISP would be), that
replacing it with a /32 route to a honeypot created by the ISP
would not be that difficult. Sure, it's unlikely that 100% of the ISPs
could do it in the time required, but, even if you gust got the top 3
or so on the worm's hit list, it would have a significant impact.
If you got 10, then the surprise would be no more than 50% effective.
Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.
Owen
--On Friday, August 22, 2003 1:39 PM -0500 "Beprojects.com"
<info@beprojects.com> wrote:
> So who's going to do that? There are 20 machines on 20 different networks
> covering the US, Canada and parts of Asia (from what I've read). Each
> network would have to contact the individual user and ask permission to
> put a honeypot on their IP and that's not going to happen in the next 30
> minutes.
>
> ----- Original Message -----
> From: "Owen DeLong" <owen@delong.com>
> To: <jdawson@flexpop.net>; <nanog@merit.edu>; <Jaana.Sirkia@f-secure.com>
> Sent: Friday, August 22, 2003 1:27 PM
> Subject: Re: Sobig.f surprise attack today
>
>
>>
>> OK... Maybe I'm smoking crack here, but, if they have the list of 20
>> machines,
>> wouldn't it make more sense to replace them with honey-pots that download
>> code to remove SOBIG instead of just disabling them?
>>
>> Let's use the virus against itself. At this point, I think that's a
>> legitimate
>> countermeasure.
>>
>> Owen
>>
>>
>> --On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson <jdawson@navi.net>
>> wrote:
>>
>> >
>> > F-Secure Corporation is warning about a new level of attack to be
>> > unleashed by the Sobig.F worm today. Supposed to take place at 1900
>> > UTC.
>> >
>> > http://www.f-secure.com/news/items/news_2003082200.shtml
>> >
>> > Jim
>> > --
>> >
>> > See what ISP-Planet is saying about us!
>> > http://isp-planet.com/services/wholesalers/flexpop.html
>> > __________________________________________________________________
>> > Jim Dawson jdawson@flexpop.net
>> > Flexpop/Navi.Net http://www.flexpop.net
>> > 618 NW Glisan St. Ste. 101 v. +1.503.517.8866
>> > Portland, Or 97209 USA f. +1.503.517.8868
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >
>>
>>
>>
>
