Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Sobig.f surprise attack today

  • From: Owen DeLong
  • Date: Fri Aug 22 15:54:31 2003


OK.. Seems to me that under the circumstances, since they're willing to
disconnect that host from the internet (any rational ISP would be), that
replacing it with a /32 route to a honeypot created by the ISP
would not be that difficult. Sure, it's unlikely that 100% of the ISPs
could do it in the time required, but, even if you gust got the top 3
or so on the worm's hit list, it would have a significant impact.
If you got 10, then the surprise would be no more than 50% effective.

Sure, it won't happen in 30 minutes, but, I don't understand why this
wasn't started when F-Secure first noticed the situation.

Owen


--On Friday, August 22, 2003 1:39 PM -0500 "Beprojects.com" <info@beprojects.com> wrote:

So who's going to do that?  There are 20 machines on 20 different networks
covering the US, Canada and parts of Asia (from what I've read).  Each
network would have to contact the individual user and ask permission to
put a honeypot on their IP and that's not going to happen in the next 30
minutes.

----- Original Message -----
From: "Owen DeLong" <owen@delong.com>
To: <jdawson@flexpop.net>; <nanog@merit.edu>; <Jaana.Sirkia@f-secure.com>
Sent: Friday, August 22, 2003 1:27 PM
Subject: Re: Sobig.f surprise attack today


OK... Maybe I'm smoking crack here, but, if they have the list of 20
machines,
wouldn't it make more sense to replace them with honey-pots that download
code to remove SOBIG instead of just disabling them?

Let's use the virus against itself.  At this point, I think that's a
legitimate
countermeasure.

Owen


--On Friday, August 22, 2003 11:01 AM -0700 Jim Dawson <jdawson@navi.net>
wrote:

>
> F-Secure Corporation is warning about a new level of attack to be
> unleashed by the Sobig.F worm today. Supposed to take place at 1900
> UTC.
>
> http://www.f-secure.com/news/items/news_2003082200.shtml
>
> Jim
> --
>
> See what ISP-Planet is saying about us!
> http://isp-planet.com/services/wholesalers/flexpop.html
>   __________________________________________________________________
>   Jim Dawson                                     jdawson@flexpop.net
>   Flexpop/Navi.Net                            http://www.flexpop.net
>   618 NW Glisan St. Ste. 101                      v. +1.503.517.8866
>   Portland, Or  97209 USA                         f. +1.503.517.8868
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>









Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.