Seen Around – 8 March 2007

In the past couple of days, between some development work and analyzing yesterday’s Nurech spam incidents (downloader that grabs a BHO that installs a DLL, ipv6monl.dll, and snarfs your banking info, seems to target German users more than anything …), I threw a bunch of blogs into my RSS reader. I need to keep abreast of things and swimming in the deep end by the rapids like an efficient way to keep up. Maybe. So, a few things that caught my eye as I tore through RSS entries (over 4000 remain unread!).

Our fine friends at CastleCops were recently pounded with a DDoS that disrupted their operations for a while. Luckily they didn’t have to pay anything more for it:

My previous provider, ApplicationX informed us today that had we been billed on a 95th percentile (instead we were on capped bandwidth) during the DDoS against CastleCops, our total bill would have been $33,000 US. This figure is at a discounted $33 per Mbit. CastleCops would have disappeared just like that, if we were on 95th percentile. Thankfully, our old host doesn’t charge their customers that way!

Source: $33,000 for DDoS Bandwidth Charges.

Microsoft Security Bulletin Advance Notification for March, 2007? No new Microsoft Security Bulletins will be released on March 13, 2007. This throws my March, 2007, critical bulletin market for a loop!

The Michaelangelo virus is 15 years old. FUD still alive and well.

Some of us have been seeing this coming for years, but with spam botnets growing ever larger this is getting worse.

So here’s the thing. New SMTP-based methods of delivering nonspam email — whether based on DKIM, SPF, webs of trusted servers, or whatever — will not be able to operate if they have to compete for TCP connection slots with spammers, since spammers can now swamp the SMTP listener for port 25 with connections. In effect, spam will DDoS legitimate email, no matter what authentication system that legit mail uses to authenticate itself.

Source: Spam volumes at accidental-DoS levels

Operation Spam A Lot nabs 35 companies, and my inbox shows that many others are waiting in the wings … Here’s a business idea for any financial (or Yahoo Finance or Google Finance), put a huge red flag on the ticker’s info page(s) when they’ve been pumped and dumped! Use that visibility for something good!

The trading suspensions are part of a stepped-up SEC effort – code named “Operation Spamalot” – to protect investors from potentially fraudulent spam email hyping small company stocks with phrases like, “Ready to Explode,” “Ride the Bull,” and “Fast Money.” It’s estimated that 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money.

Source: SEC Suspends Trading Of 35 Companies Touted In Spam Email Campaigns.

Friend and fellow network sniffer Marty Roesch has some intereting thoughts on alerting. While he brings up a lot of good points, I sometimes think that there are two major problems with alerting in Snort: first, because it has to support so many backends it’s never an optimized data path or solution, and secondly because so many people think they should show every piece of an alert, the alerts in many Snort UIs are difficult to manage at volumes of thousands at a time. Marty’s company will IPO tomorrow, it seems, with the ticker symbol FIRE.

I’ve been thinking that one thing that could be done that would be pretty easy and add some value would be to add “point-in-time” flow summary data to Snort events. The idea behind doing this would be to add the data for the flow that the event occurred upon to the event data.

Source: Thoughts on Alerts.

Yeah, I know that a blog post that is only about pointing at other bloggers’ entries is horrible, and a bit like when a TV show is nothing but flashbacks (both examples of phoning it in ..) but I figured I would make sure everyone was reading fine material out there.

Comments are closed.