RE: [iwar] Why do you track Code Red attempts?

From: Glenn Williamson (Glenn_Williamson@ottawa.com)
Date: 2001-08-09 06:14:04


Return-Path: <sentto-279987-1570-997362904-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 09 Aug 2001 06:16:08 -0700 (PDT)
Received: (qmail 22124 invoked by uid 510); 9 Aug 2001 12:17:12 -0000
Received: from n6.groups.yahoo.com (216.115.96.56) by 204.181.12.215 with SMTP; 9 Aug 2001 12:17:12 -0000
X-eGroups-Return: sentto-279987-1570-997362904-fc=all.net@returns.onelist.com
Received: from [10.1.4.55] by hm.egroups.com with NNFMP; 09 Aug 2001 13:15:04 -0000
X-Sender: glenn.williamson@sympatico.ca
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_3_1); 9 Aug 2001 13:15:03 -0000
Received: (qmail 18033 invoked from network); 9 Aug 2001 13:15:03 -0000
Received: from unknown (10.1.10.26) by l9.egroups.com with QMQP; 9 Aug 2001 13:15:03 -0000
Received: from unknown (HELO tomts5-srv.bellnexxia.net) (209.226.175.25) by mta1 with SMTP; 9 Aug 2001 13:15:03 -0000
Received: from home ([209.226.118.82]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010809131502.XRWI10424.tomts5-srv.bellnexxia.net@home> for <iwar@yahoogroups.com>; Thu, 9 Aug 2001 09:15:02 -0400
To: <iwar@yahoogroups.com>
Message-ID: <NEBBJBJAILHONFLOGCKJEELNCLAA.glenn.williamson@sympatico.ca>
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: High
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
In-Reply-To: <200108091305.GAA15315@big.all.net>
X-eGroups-From: "Glenn Williamson" <glenn.williamson@sympatico.ca>
From: "Glenn Williamson" <Glenn_Williamson@ottawa.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 9 Aug 2001 09:14:04 -0400
Reply-To: iwar@yahoogroups.com
Subject: RE: [iwar] Why do you track Code Red attempts?
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


Fred,

 I won't disagree,


Glenn


-----Original Message-----
From: Fred Cohen [mailto:fc@all.net]
Sent: Thursday, August 09, 2001 9:05 AM
To: iwar@yahoogroups.com
Subject: Re: [iwar] Why do you track Code Red attempts?


Per the message sent by Glenn Williamson:

...
> vice emphasis on the who and why. I love statistical analysis, but simply
> looking at numbers does not provide the needed in-depth analysis, it
points
> to a problem but not to the overall solution.

I don't know who you are referring to in terms of only counting.  The
counts are only a simple reflection of volume used to start the process
of investigation.  If very high counts are found, the potential
large-scale risks tend to be (but are not always) higher, so larger
counts bring more people into the picture.

Think of the collective Internet expertise residing in people as forces
in reserve.  They don't normally rush in after every new virus that
shows up and they don't investigate every incident that comes up, but as
the magnitude of an incident grows or as its importance grows, those who
are closest to its effects gang up on it.

If 100 Windows boxes are taken over by a virus, very few people will be
involved because there is no need to involve more.  If from each of my
several boxes strewn across the Internet, I see 1600 IPs infected in 4
days (which I do for Code Red II) that will indicate to me that this is
larger scale than I am likely to be able to handle on my own, so I send
to a forum and tell them that I am seeing 400 of these per day.  The
forum members then look for similar things and, if I am alone, they tell
me so, and it's my problem.

If they look and see hundreds per day each from their different
perspectives on the Internet, then more folks decide it's worth looking
and, eventually, the magnitide of the incident becomes clearer.  As
people investigate and find more, create defenses, etc.  the numbers (in
some cases) start to go back down.  This potentially indicates progress
against the large-scale situation, and it is valuable, at least in the
case of Code Red I and II, to know if what you have done has worked or
if you need to try something else.

All of this from simple numerical totals.

FC
--This communication is confidential to the parties it is intended to
serve--
Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
fc@all.net		The University of New Haven.....http://www.unhca.com/
http://all.net/		Sandia National Laboratories....tel:925-294-2087



------------------
http://all.net/

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




------------------------ Yahoo! Groups Sponsor ---------------------~-->
Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now!
http://us.click.yahoo.com/n7RbFC/zhwCAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT