Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
Should attack IP addresses be made public?
On August 15th an apparently knowledgeable researcher going by moniker "RSA employe #15666" posted a list of IP addresses and machine names to Pastebin and publicized it on the 18th.
List: http://pastebin.com/yKSQd5Z5
Article: http://www.tgdaily.com/security-features/57975-leaked-data-points-to-sino-cyber-espionage-ring
Then @mrkoot did some DNS and ARIN lookups to extract some stats: https://alumni.os3.nl/~mrkoot/20110818_RSA15666stats.txt
This data could immediately help all organizations that are subject to espionage attacks. All of these IP addresses could be blocked in firewalls and ACLs in routers. (I highly recommend doing so). If you are able to monitor your egress traffic you should investigate any internal IP address communicating with these suspect IPs.
On the other hand, does publishing these IP addresses and domains reveal too much to the attackers about the defender's intelligence? Will the attackers move on? Will the good guys who are monitoring these IP addresses have to scramble to find the new sources of attack?
This is an age old question that has faced the intelligence community: reveal a source to do good at the expense of losing the source?
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
7 Answers
Although blocking known attack addresses can be a good idea, the publication of these addresses is where the challenge rests. Once discovered attack addresses are published the savvy attacker will simply use a new yet to be discovered address, or will use a distributed attack method.
To address the communication of known attack addresses to perimeter security devices without disclosing the attack address payload, perhaps bundling updates in an encrypted format that is readable only by the end point device only, would make sense. However, this opens the door to other vulnerabilities, and I would suspect that not many are willing to provide such absolute trust to outside parties.
I think that the value of such disclosure in a general sense must be evaluated against all relevant facts at the time.
In this case, there seems to have been sustained effort relating to the use of these IPs, so publishing them is of more value to those who can be protected, than it is to other attackers. Sure, the attackers are likely to move, but given their apparent entrenched position, this may take some time. Either way, it will allow more organizations to be vigilant, and help to protect many who might otherwise not see their danger.
Regular disclosure of this sort might be helpful to many people, but all facts would need to be taken into consideration for each case.
-ASB: http://XeeMe.com/AndrewBaker
I believe so, in fact many UTM vendors are moving to blocking known attack IP addresses. Issues may arise when an attack is coming from a corporate network for example and they are unaware. If that corporation needs to do business with the blocking company they may find out the hard way they have a breach.
A better idea might be for someone to start a service that tracks attacking IP addresses and to which one could register and receive alerts if his/her IPs are ever detected as an attacking address.
One final note, attackers move around to avoid being blacklisted and detected, I do the same during my penetration testing engagements. What blocking these known IP addresses really does is make an attacker work a tiny bit harder. And if the cost of blocking these IP addresses is low then it is worth adding this to your layered defenses.
To make a decision we need to understand the value being gained by keeping knowledge of the addresses secret. What new intelligence is being gained by monitoring these addresses?
If the addresses are published and the attackers are forced to migrate to new systems that migration might reveal patterns that provide valuable information.
The decision rests on comparing the value of the intelligence vs the impact of allowing the attacks to continue.
What about IP Address and/or Domain Name spoofing? To block IP addresses, may be the whole block may need to be cut, leading at times to a genuine denial of service.
Just to put a nail in this discussion look at this Tweet from @mrkoot (who inspired this thread with his revelation of thousands of such machine names)
Infoleak-by-hostname: if not disinfo, "alarmnet7810irent2.whoi.edu" reveals that WHOI uses a Honeywell 7810iR-ENT alarm system.
Now come on. Revealing machine types, especially network attached alarm systems, is just wrong.
Although this is probably preaching to the choir,,,Richard and I have just published an insider's look at hacking in a cyber crime novella, Cyber Styletto. We'd really appreciate any comments or suggestions from security professionals about ideas for future books in the series. We plan to publish one every six months to keep the general public on alert to the mounting level of cyber crime, and what it means to them.
Answer This Question