Re: [iwar] Why do you track Code Red attempts?

From: Fred Cohen (fc@all.net)
Date: 2001-08-08 08:17:49


Return-Path: <sentto-279987-1560-997284031-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 08 Aug 2001 08:21:10 -0700 (PDT)
Received: (qmail 18220 invoked by uid 510); 8 Aug 2001 14:22:45 -0000
Received: from n23.groups.yahoo.com (216.115.96.73) by 204.181.12.215 with SMTP; 8 Aug 2001 14:22:45 -0000
X-eGroups-Return: sentto-279987-1560-997284031-fc=all.net@returns.onelist.com
Received: from [10.1.4.55] by ck.egroups.com with NNFMP; 08 Aug 2001 15:20:32 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_2_0); 8 Aug 2001 15:20:31 -0000
Received: (qmail 85026 invoked from network); 8 Aug 2001 15:17:50 -0000
Received: from unknown (10.1.10.142) by l9.egroups.com with QMQP; 8 Aug 2001 15:17:50 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 8 Aug 2001 15:17:50 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id IAA05256 for iwar@yahoogroups.com; Wed, 8 Aug 2001 08:17:49 -0700
Message-Id: <200108081517.IAA05256@big.all.net>
To: iwar@yahoogroups.com
In-Reply-To: <NDBBJBDJCGCKGDILPNNEIEACGIAA.junkmail@barnowl.com> from "JunkMail Rosenberger" at Aug 08, 2001 09:47:49 AM
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 8 Aug 2001 08:17:49 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: Re: [iwar] Why do you track Code Red attempts?
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Per the message sent by JunkMail Rosenberger:

> A serious question -- why do so many people track the Code Red attempts on
> their servers? 
> Do they merely succumb to morbid curiosity?  Do they hope to
> save the Internet by tracking down the owner of every compromised machine?
> Did they not receive any Melissa/ILoveYou/Kournikova emails and now they
> just want to feel like they're part of the crowd?  Do they want to prove
> they know enough to calculate a (useless) personal number?  What gives?

I can speak for myself.  I track everything that happens on the servers
I am responsible for as a matter of course.  It's part of recognizing
and responding to threats.  In the case of this virus, there is
large-scale coordination of notification so that all of the owners of
infected systems get notified.  The audit trails allow us to do that. 
There are also researchers who use these statistics to understand the
spread of the disease and predict the impact on infrastrcuture elements. 
With these predictions that can decide when and where to spend resources
on mitigating harm.

In my case, it took me about 2 minutes to add a line to my normal status
displays with counts of the different variants of this virus, so I did
it and notice that the new varient is running at more than 90% of all
activity.  This would seem to imply that it will have 10 times the
effect.  Other researchers do far more detailed analysis with my data.

--This communication is confidential to the parties it is intended to serve--
Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
fc@all.net		The University of New Haven.....http://www.unhca.com/
http://all.net/		Sandia National Laboratories....tel:925-294-2087

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT