Return-Path: <sentto-279987-1570-997362904-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 09 Aug 2001 06:16:08 -0700 (PDT) Received: (qmail 22124 invoked by uid 510); 9 Aug 2001 12:17:12 -0000 Received: from n6.groups.yahoo.com (216.115.96.56) by 204.181.12.215 with SMTP; 9 Aug 2001 12:17:12 -0000 X-eGroups-Return: sentto-279987-1570-997362904-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by hm.egroups.com with NNFMP; 09 Aug 2001 13:15:04 -0000 X-Sender: glenn.williamson@sympatico.ca X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_3_1); 9 Aug 2001 13:15:03 -0000 Received: (qmail 18033 invoked from network); 9 Aug 2001 13:15:03 -0000 Received: from unknown (10.1.10.26) by l9.egroups.com with QMQP; 9 Aug 2001 13:15:03 -0000 Received: from unknown (HELO tomts5-srv.bellnexxia.net) (209.226.175.25) by mta1 with SMTP; 9 Aug 2001 13:15:03 -0000 Received: from home ([209.226.118.82]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010809131502.XRWI10424.tomts5-srv.bellnexxia.net@home> for <iwar@yahoogroups.com>; Thu, 9 Aug 2001 09:15:02 -0400 To: <iwar@yahoogroups.com> Message-ID: <NEBBJBJAILHONFLOGCKJEELNCLAA.glenn.williamson@sympatico.ca> X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: High X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: <200108091305.GAA15315@big.all.net> X-eGroups-From: "Glenn Williamson" <glenn.williamson@sympatico.ca> From: "Glenn Williamson" <Glenn_Williamson@ottawa.com> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 9 Aug 2001 09:14:04 -0400 Reply-To: iwar@yahoogroups.com Subject: RE: [iwar] Why do you track Code Red attempts? Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Fred, I won't disagree, Glenn -----Original Message----- From: Fred Cohen [mailto:fc@all.net] Sent: Thursday, August 09, 2001 9:05 AM To: iwar@yahoogroups.com Subject: Re: [iwar] Why do you track Code Red attempts? Per the message sent by Glenn Williamson: ... > vice emphasis on the who and why. I love statistical analysis, but simply > looking at numbers does not provide the needed in-depth analysis, it points > to a problem but not to the overall solution. I don't know who you are referring to in terms of only counting. The counts are only a simple reflection of volume used to start the process of investigation. If very high counts are found, the potential large-scale risks tend to be (but are not always) higher, so larger counts bring more people into the picture. Think of the collective Internet expertise residing in people as forces in reserve. They don't normally rush in after every new virus that shows up and they don't investigate every incident that comes up, but as the magnitude of an incident grows or as its importance grows, those who are closest to its effects gang up on it. If 100 Windows boxes are taken over by a virus, very few people will be involved because there is no need to involve more. If from each of my several boxes strewn across the Internet, I see 1600 IPs infected in 4 days (which I do for Code Red II) that will indicate to me that this is larger scale than I am likely to be able to handle on my own, so I send to a forum and tell them that I am seeing 400 of these per day. The forum members then look for similar things and, if I am alone, they tell me so, and it's my problem. If they look and see hundreds per day each from their different perspectives on the Internet, then more folks decide it's worth looking and, eventually, the magnitide of the incident becomes clearer. As people investigate and find more, create defenses, etc. the numbers (in some cases) start to go back down. This potentially indicates progress against the large-scale situation, and it is valuable, at least in the case of Code Red I and II, to know if what you have done has worked or if you need to try something else. All of this from simple numerical totals. FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc@all.net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now! http://us.click.yahoo.com/n7RbFC/zhwCAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT