Sobig.f surprise attack today
Owen DeLong
owen at delong.com
Fri Aug 22 19:51:14 UTC 2003
OK.. Seems to me that under the circumstances, since they're willing to
disconnect that host from the internet (any rational ISP would be), that
replacing it with a /32 route to a honeypot created by the ISP
would not be that difficult. Sure, it's unlikely that 100% of the ISPs
could do it in the time required, but, even if you gust got the top 3
or so on the worm's hit list, it would have a significant impact.
If you got 10, then the surprise would be no more than 50% effective.
Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.
Owen
--On Friday, August 22, 2003 1:39 PM -0500 "Beprojects.com"
<info at beprojects.com> wrote:
> So who's going to do that? There are 20 machines on 20 different networks
> covering the US, Canada and parts of Asia (from what I've read). Each
> network would have to contact the individual user and ask permission to
> put a honeypot on their IP and that's not going to happen in the next 30
> minutes.
>
> ----- Original Message -----
> From: "Owen DeLong" <owen at delong.com>
> To: <jdawson at flexpop.net>; <nanog at merit.edu>; <Jaana.Sirkia at f-secure.com>
> Sent: Friday, August 22, 2003 1:27 PM
> Subject: Re: Sobig.f surprise attack today
>
>
>>
>> OK... Maybe I'm smoking crack here, but, if they have the list of 20
>> machines,
>> wouldn't it make more sense to replace them with honey-pots that download
>> code to remove SOBIG instead of just disabling them?
>>
>> Let's use the virus against itself. At this point, I think that's a
>> legitimate
>> countermeasure.
>>
>> Owen
>>
>>
>> --On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson <jdawson at navi.net>
>> wrote:
>>
>> >
>> > F-Secure Corporation is warning about a new level of attack to be
>> > unleashed by the Sobig.F worm today. Supposed to take place at 1900
>> > UTC.
>> >
>> > http://www.f-secure.com/news/items/news_2003082200.shtml
>> >
>> > Jim
>> > --
>> >
>> > See what ISP-Planet is saying about us!
>> > http://isp-planet.com/services/wholesalers/flexpop.html
>> > __________________________________________________________________
>> > Jim Dawson jdawson at flexpop.net
>> > Flexpop/Navi.Net http://www.flexpop.net
>> > 618 NW Glisan St. Ste. 101 v. +1.503.517.8866
>> > Portland, Or 97209 USA f. +1.503.517.8868
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >
>>
>>
>>
>
More information about the NANOG
mailing list