Sobig.f surprise attack today

• Previous message (by thread): Sobig.f surprise attack today
• Next message (by thread): Sobig.f surprise attack today
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK.. Seems to me that under the circumstances, since they're willing to
disconnect that host from the internet (any rational ISP would be), that
replacing it with a /32 route to a honeypot created by the ISP
would not be that difficult.  Sure, it's unlikely that 100% of the ISPs
could do it in the time required, but, even if you gust got the top 3
or so on the worm's hit list, it would have a significant impact.
If you got 10, then the surprise would be no more than 50% effective.

Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.

Owen


--On Friday, August 22, 2003 1:39 PM -0500 "Beprojects.com" 
<info at beprojects.com> wrote:

> So who's going to do that?  There are 20 machines on 20 different networks
> covering the US, Canada and parts of Asia (from what I've read).  Each
> network would have to contact the individual user and ask permission to
> put a honeypot on their IP and that's not going to happen in the next 30
> minutes.
>
> ----- Original Message -----
> From: "Owen DeLong" <owen at delong.com>
> To: <jdawson at flexpop.net>; <nanog at merit.edu>; <Jaana.Sirkia at f-secure.com>
> Sent: Friday, August 22, 2003 1:27 PM
> Subject: Re: Sobig.f surprise attack today
>
>
>>
>> OK... Maybe I'm smoking crack here, but, if they have the list of 20
>> machines,
>> wouldn't it make more sense to replace them with honey-pots that download
>> code to remove SOBIG instead of just disabling them?
>>
>> Let's use the virus against itself.  At this point, I think that's a
>> legitimate
>> countermeasure.
>>
>> Owen
>>
>>
>> --On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson <jdawson at navi.net>
>> wrote:
>>
>> >
>> > F-Secure Corporation is warning about a new level of attack to be
>> > unleashed by the Sobig.F worm today. Supposed to take place at 1900
>> > UTC.
>> >
>> > http://www.f-secure.com/news/items/news_2003082200.shtml
>> >
>> > Jim
>> > --
>> >
>> > See what ISP-Planet is saying about us!
>> > http://isp-planet.com/services/wholesalers/flexpop.html
>> >   __________________________________________________________________
>> >   Jim Dawson                                     jdawson at flexpop.net
>> >   Flexpop/Navi.Net                            http://www.flexpop.net
>> >   618 NW Glisan St. Ste. 101                      v. +1.503.517.8866
>> >   Portland, Or  97209 USA                         f. +1.503.517.8868
>> >   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >
>>
>>
>>
>

• Previous message (by thread): Sobig.f surprise attack today
• Next message (by thread): Sobig.f surprise attack today
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]