Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security

Distributive Worm Blocking 162

Posted by CmdrTaco from the anyone-speak-the-dutch dept.
wdebruij writes "According to this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."
This discussion has been archived. No new comments can be posted.

Distributive Worm Blocking More

Distributive Worm Blocking

Comments Filter:
  • I've got it the ultimate virus aquisition prevention system...

    Whenever news of a worm is reported on Slashdot, the computer is locked down with the network connection halted, the disk drives unpowered, all processing stopped, and the video output suspsended. A nice side effect is that power consumption of the system is near zero when in this mode.
    • Or, you could just post a link on slashdot to all infected systems. Same end effect.

    • "I've got it the ultimate virus aquisition prevention system...

      Whenever news of a worm is reported on Slashdot, the computer is locked down with the network connection halted, the disk drives unpowered, all processing stopped, and the video output suspsended. A nice side effect is that power consumption of the system is near zero when in this mode. "

      I'd really like to have a few words with the guy who modded this 'Interesting'. His computer is probably off now, though.
    • This is a practice, that is a fact for years already in certain dutch speaking universities.
      Users have to make a https login in order to gain access to the intranet and internet from their home pc's. Once a worm or virus or any network distributed threat has been detected, the computer in question is revoked his access to the internet having routing rights only to a website containing some antivirus software and webmail. Also an e-mail with an explanation is sent to the e-mail address.

      At this point this ne
    • This is the story's first post, and it's modded "redundant"? WTF?

  • Zegnar (Score:5, Insightful)

    by Zegnar ( 704768 ) on Sunday June 06, 2004 @10:59AM (#9350376)
    Here is progress - still I imagine many companies will leave things as they are just to avoid having to deal with irate calls to the helpdesk, and carry on broadcasting viruses to the world. Collective defense is fine until it costs money.

    • Re:Zegnar (Score:2, Interesting)

      by unixbugs ( 654234 )
      I agree. Imagine the feeling of not being able to fix your infected computer via online-update because your freakin ISP wont let you. One could possibly start a successful company fixing PCs doing house-calls anywhere this policy is enforced forever. Its like western medecine, treat the symptom, not the cause.

      • Re:Zegnar (Score:4, Interesting)

        by mattyrobinson69 ( 751521 ) on Sunday June 06, 2004 @12:25PM (#9350926)
        when freeserve depreciated one of their dial-up numbers, all attempts to access port 80 were forwarded to their http server on a page which explained how to change the number, and what to. - they blocked all other connections i think.

        pain in the arse, but it could be useful if the same kind of thing was implemented if you were showing characteristics of running a worm, to redirect you to their free online virus scanner (or somebody elses). that way, you cant infect anybody else, but you can still use the online vius scanner to remove virus's (using an OCX).

        this will carry on working, while nearly all worms are for windows. i imagine most people with other os's wouldn't get hit, not because of higher security neccessarily, but because they wouldn't spread well in a world where 90%+ boxes are windows, and even then, the less than 10% of boxes isn't one OS - there's mac, linux, free/open/net bsd, solaris, etc.

      • Re:Zegnar (Score:3, Interesting)

        by icedivr ( 168266 )
        Perhaps a partial block could be instituted - allow only outbound http to Windows Update.
    • On the other hand, would these same ISPs no longer be bombarded with users who think that they are the people who can help them fix the worm they got? I'd venture to say there would be more of those users than there would of angry users because of the worm blocking method.

  • a new denial of service attack (Score:5, Interesting)

    by pedantic bore ( 740196 ) on Sunday June 06, 2004 @11:02AM (#9350398)
    Now all you need to do is trick someone into sending you something that resembles a worm... (all it will take for some trickster to add a rule the worm signature files that says that all messages that contain
    ^Dear
    ).

    It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).

    Unfortunately I don't read Dutch; maybe they've thought of this already.

    • How's this for a DOS...

      Attacker signs up for an account with Foo ISP, and then intentionally sends five virus-attachment e-mails to Bar.com. Foo's e-mail servers are suddenly blocked from communicating with Bar.com... and any legit business can't be transacted by e-mail.

    • It doesn't look like it. And yes, I can read dutch. So this system, in theory, would be vulnerable to what you just described.

      Then again, the ISP implementing this ( BIT ) is run by some very capable people. Adn even if they still manage to screw up, I could walk over there ( Considering BIT is in the same town as I am ) and throw a fit at them in person. Surely to be more effective then emailing and allot more fun, too...

    • "exlude known large email servers"
      And what about small, relatively unknows isps? They will suffer for sure.

      If this could be done, then all you would have to do against spam AND worms would be to use that great whitelist, and accept mail only from those "exlude known large email servers". v

    • a human should have to OK it

      The amount of stupid people outnumber the amount of any sensible life form. Therefore it will be impossible for people to protect themselves against people by the utilisation of people.

      Maybe if you get an army of well trained monkeys and begin breeding them, we'll have a chance. However, that also raises the question whether the people capable to train monkeys and their trained monkey throughput can compare with the amout of new worms and fake addresses.

  • Dutch DOS (Score:1, Insightful)

    by Anonymous Coward
    I making this up completely, but will this lead to denial of service attacks using ip spoofing techniques?

    • Re:Dutch DOS (Score:5, Insightful)

      by AndroidCat ( 229562 ) on Sunday June 06, 2004 @11:09AM (#9350436) Homepage
      If you can IP spoof with a TCP/IP connection, you could do a lot more damage than a DoS attack.
      • The question is what does this system define as a worm. SQL Slammer was considered a worm and it sent UDP traffic, which is spoofable.
        • This seems to be attached to their virus scanner software. If it detects a virus in email, it creates a record for that IP address. Once the number detected passes the threshold, it gets added to the blocking zone--which then reduces the amount of email their servers and virus scanners have to handle.
    • That project has a public page of infested computers. Is every ISP that has clients listed actually blocking them? If not: isn't this a freeheaven for all kiddies that are looking for computers to expand their botnets?

  • Frea Speach! (Score:5, Insightful)

    by AndroidCat ( 229562 ) on Sunday June 06, 2004 @11:06AM (#9350421) Homepage
    The same people who complain when their ISP is blocked for sending spam will (no doubt) complain that this blocks their constitutional right to run an infested box on the Internet--complete with examples of how innocent people will be hurt by this. (Hmm, how about DHCP dynamic addresses?)

  • This is a sensible thing to do but.... (Score:5, Insightful)

    by Sox2 ( 785958 ) on Sunday June 06, 2004 @11:08AM (#9350428)
    how do users then download the patches to deal with the infection? Not everyone on the internet is computer literate; will the ISPs provide some help to these people?
    • This project only blocks incoming email from infected IP addresses. It doesn't block outgoing web access, so MS Update should still run. This is limited because it won't stop true worms that don't use email to spread, but it will reduce the load on email virus scanners: Rather than checking each email, they can do a quick lookup on the IP address after it's detected as a virus source.

  • We already had this in the NL (Score:3, Funny)

    by Anonymous Coward on Sunday June 06, 2004 @11:11AM (#9350451)

    We already have a system based on killing your internet access whenever you do something stupid. We call it "Chello" and being subscribed to it is considered very stupid/ A viscious, though effective, circle.

    I don't hate my ISP. Not at all. I love my cable internet with upload speeds that would make an ISDN user laugh...

  • We use a similar concept @ work (Score:5, Informative)

    by jsav40 ( 614902 ) on Sunday June 06, 2004 @11:12AM (#9350453)
    Infected machines are locked out of the network entirely. Getting the machines reconnected is a fairly lengthy process and users have become *much* more interested in allowing field techs to patch machines since the lockdown process was initiated. We push patches out remotely so only 5% or so of the machines ever need to be manually patched. We also scan our subnet daily for vulnerable machines and proactively patch any machines that turn up that way. Personal laptops were a problem (briefly) but after an incident at another location where the offfending user was terminated folks have gotten the message that it is not OK to attach non company owned computers to the network.
    • Are you serious? The guy was fired just for letting a foreign laptop connect to your network? Seems a bit extreme.

      • the individual was fired for connecting an infected foreign laptop to the network.
      • I don't find it all that harsh really, if people are expected to work with a computer every day then people should be expected to be able to do so virus free. If the person is so freaking stupid to get infected in the first place then termination is likely a good way to show the rest of the staff that knowing how to properly use a computer will keep them their jobs.

        Staying virus free isn't tough, even without a virus scanner on the system it is easy, but first you must have some common sense when it comes

        • Re:We use a similar concept @ work (Score:5, Insightful)

          by kryptkpr ( 180196 ) on Sunday June 06, 2004 @11:42AM (#9350614) Homepage
          zero infections with no anti-virus suite running on the machine at all.

          And how exactly do you know there have been zero infections.. without a virus scanner? Or is the machine not connected to the 'net?
          • He said no suite running on the machine.

            That doesn't mean they couldn't use web based scanning like Trend Micro and Panda Softwares online scanners.
          • It's quite easy to know it is uninfected, as others have pointed out there are suites that can be run online plus having a suite installed but not running is another option.

            But, I know what is running on the machine as well, I know it is stable and I know there isn't some background task eating up the resources, I reboot her machine for her maybe once a month and it sits running 24/7.

            Now to be clear, her computer sits on a NAT network so it is not publically accessable, but hey, when I sell someone a comp
            • Contrary to popular belief you do no need full time AV suites running on all your PCs to keep virus free, it takes some common sense, keeping your system up to date, etc.

              That's like saying you don't need to wear a condom to keep yourself STD-free, all it takes is "some common sense" about whom you sleep with, keeping yourself innoculated, etc.

              I've run a full-time AV suite for years, and 99.9% of the time it sits there eating my resources .. but it's that last 0.1%, when the big red dialog comes up out of
              • I tried a resident scanner for a while (McAfee), but that version kept nuking entire inboxes in OE, I lost over a year worth of mail thanks to that POS scanner.

                Considering I have never had a virus infection caused data loss I was a tad bit peeved to have the freaking solution to viruses delete the data instead.

                Like I said, no virus infections here and no resident scanner running, and this from a guy who has been using online services since 1988 or so.

                So just what has convinced you that you need that full
                • So just what has convinced you that you need that full time resident scanner running? Do you visit unsafe websites all day or something?

                  I have lots of friends, that send me all kinds of links over IM.. the sites that host the videos/flash animations/etc are generally hosting much more then that. Not only am I running a resident AV scanner (I run Norton, but AVG is good too, stay away from McCrappy), I've switched to FireFox (IE kept "growing" new search toolbars, it was getting to be a hassle) and I'm ru
        • Oh, and my wife is proof positive it isn't tough to NOT get infected .. 3 years on her own Win98 box and zero infections with no anti-virus suite running on the machine at all.

          Then how do you know there are no viruses on the machine? Malware doesn't have to be obvious when it's running.
        • no antivirus running..

          HOW You know shes not infected ^_^

  • Reduces the value of spam spewing owned boxen (Score:4, Insightful)

    by G4from128k ( 686170 ) on Sunday June 06, 2004 @11:15AM (#9350474)
    Technology such as this reduces the value of virus-created owned boxes. The creators of viruses that want to create spam-spewing machines would find their spam spewer useless. During the infection phase, the virus-spreading emails would get the infected box tagged and blocked. During the usage phase, the virus-creator/spam sender would find that the owned box is useless because all the messages get blocked.

    This tech does not preclude malaciously-motivated viruses, but it does reduce the profit potential of creating spam networks.

  • IP Spoofing (Score:1, Interesting)

    by b0lt ( 729408 )
    If you IP spoof and send a virus to one of the servers using this technology, you could pretty much get every IP in the world blocked. That is a very Bad Thing (TM)

    • Re:IP Spoofing (Score:2, Informative)

      by slash-tard ( 689130 )
      That wont work. When a DOS (or whatever) spoofs an address they send to the destination with a forged source. When the destination replies to the forged source they dont get an answer, but they do waste bandwidth and computing time.

      The blocking is based on actually sending emails through this server which will require a complete TCP handshake.
      • Yes, I am aware of that, but what if the spoofer tries to send MSBlaster or another virus? That would trigger the blocking (if it watched for that) wouldn't it?

        • Re:IP Spoofing (Score:2, Informative)

          by AndroidCat ( 229562 )
          MSBlaster was a direct worm that didn't go through email. This blocks email over a SMTP TCP/IP connection. If you could easily spoof the source of that connection, a paper on how you did it would earn you a footnote in Internet history.

        • Re:IP Spoofing (Score:2, Informative)

          by AndroidCat ( 229562 )
          I'll add a bit more detail to explain.

          With DoS attacks, you don't need to have a conversation/connection with the other end, you just drown the other end in packets. But to get a TCP connection, both sides have to exchange packets with a hard-to-spoof sequence number. If you spoof the IP address, you won't get the respose to your initial request because it was routed to the IP address that was spoofed. (I'll skip request and reflection attacks here.)

          So, without establishing a two-way TCP connection, there

  • Spamhaus (Score:5, Insightful)

    by AndyFewt ( 694753 ) * on Sunday June 06, 2004 @11:20AM (#9350501)
    Didn't Spamhaus recently launch the pretty much the same service called the XBL?

    "The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso [spamhaus.org]

    The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.

    • Re:Spamhaus (Score:2, Informative)

      by vladj ( 716394 )
      Obviously, that's after receiving at least 2 viruses from that IP address.
    • Yes, I think the XBL is essentially the same thing.

      There is one minor difference: the XBL seems to be targeting systems that relay spam mail, while the VIRBL targets systems that are actively spreading a mail virus/worm.

      Because most of these viruses are spread with the goal of opening the victim systems as a spam relay, there will be many duplicates between those lists.

  • Translation for non-Dutchies (Score:5, Informative)

    by mrjb ( 547783 ) on Sunday June 06, 2004 @11:26AM (#9350527)
    Chello en Tiscali top-spreaders of viruses
    A database with infected pc's is the foundation of an ambitions project that should reduce the flood of virus emails
    A number of Dutch providers is currently testing a worm blocker based on an extensive database of infected pc's. This file has been kept up-to-date since 2 weeks ago by BIT, a provider for businesses. In this database, amongst other things, is visible from which IP address which virus is being spread.

    Other providers can use this database to inform their own customers that their computer is infected and bothering other people, explains Alex Bik of BIT. Self-propagating viruses (worms) are causing more and more trouble, both to private users and providers.

    BIT itself has been using the automatic blacklist-system since last week, to protect their customers against the ever growing stream of virus mails. By now, a large number of Dutch [internet] providers, including XS4ALL, Zonnet and IS Internet Services, also have access to the data.

    Port 25

    In its database, BIT keeps track from which IP addresses virus mails are sent. This sending [of emails] often takes place directly via port 25 from infected computers. As soon as more than 2 infected emails arrive at BIT within 25 hours, the IP address is blacklisted for 24 hours. However, the ip-addresses of mail servers of known providers are not added to the database.

    Chello tops the list

    The list shows that other providers, too, can benefit from the blacklist. Customers of Chello, Tiscali and @home top the list of major virus spreaders (over 1000 virus emails). The topper is an ip-address at Tiscali, from which as much as 12000 sober G-mails have been sent.

    In total, Chello leads with over 27000 sent virus mails with the 25 main 'spreaders', followed by Tiscali (almost 23000), @home (almost 20000), Wanadoo (over 14000), HCCnet (almost 13000) and Planet [internet] (almost 12000).

  • Quick Translation of the article (Score:1, Informative)

    by Anonymous Coward
    A number of Dutch ISPs are currently testing a worm-blocker based on
    a extensive database with infected pc's. This database is currently
    being managed by BIT ISP. This databases contains ip-numbers of the
    pc's that are infected and spreading viruses.

    Other providers can use the database for their own customers to warn
    them that their pc is infected. BIT uses the database for automatic
    blacklisting and firewalling to protect their customers. It records from
    which pc's viruses are send (which usually occur by e-mai

  • Tech support (Score:3, Insightful)

    by Fullmetal Edward ( 720590 ) on Sunday June 06, 2004 @11:40AM (#9350604) Journal
    "I can't send a file to my friend or even get to some website, whats wrong with my PC?"

    "You been virusing people, sending spam and being a git."

    "No I haven't..."

    I don't want to be that tech support guy because this is will happen and often.
    • It doesn't block web access. Direct email to servers using this system will return "550 You're a virus infected git!" (probably in Dutch). Email to anyone else or through the ISP's servers will be as usual.

  • other alternatives to stopping worms (Score:3, Interesting)

    by angryLNX ( 679691 ) on Sunday June 06, 2004 @11:45AM (#9350638) Homepage
    I have been doing a high school science research class project on stopping the spreading of internet-borne worms though analysis of epidemic models and such. I have come across many different methods for stopping the distribution of vulnerability-based worms, so I'll share here (in order from most innovative to most obvious): First, a very ingenious method coming from Dartmouth's Institute for Security Technology Studies [dartmouth.edu]. They propose a method called monitoring the internet for plumes of ICMP unreachable messages. Software is installed on routers which records the ICMP unreachable messages being sent and sends data every once in a while to a central server which analyzes the data and sees which things are probably random-scanning worms. This is probably the best idea I've seen yet, but most likely the hardest to implement (as router software is usually tried to keep air-tight). The bad ports and such would then be filtered or turned off as appropriate. A second method which may have been talked about on here or not is "good" worms. Worms which sit around and listen for worm data would then send a copy of itself from the computer which was scanning them, therefore fixing another hole and having that computer be another "good" computer. The bad thing with this is that it will only really work when the worm is at its peak, when damage has already been done. It would be useful for cleanup, but of course there are issues with privacy and control would be rampant. Another "solution" is getting users to install firewalls and anti-virus software but thats a more obvious and hard to implement solution. I am modeling all of these possibilities using a mathematical model for epidemics, and seeing where which one would theoretically be most useful and such, and I'll take a look at the method used in the article.
  • Im confused (didnt RTFA) are they blocking real worms or VB-script outlook worms? because calling a VB-script outlook worm a worm is like calling a kid with a water-gun a crazed psychopathic killer. Microsoft could have solved every single VB-script 'worm' with about 4 lines of code.

  • dynamic IP addresses (Score:4, Insightful)

    by curator_thew ( 778098 ) on Sunday June 06, 2004 @11:52AM (#9350682)

    Sorry to hear if you're on a dynamic IP address: be prepared for intermittent connectivity to peers in said networks running this technology.

    I don't think this is a good solution, anyway. The better solution is for ISP's to use SNORT or something else to real-time detect _outgoing_ viruses and worms from their own customers, and in response, send email to the customer warning them.

    This has a number of benefits: i.e. it actively works towards the source of the problem, not just "blocking" the problem out.
    • Hmm.... sounds interesting, but that would only work if the user was actually reading mail from the ISP.

      I don't use my ISP email account because I prefer having control of my own mail. Also, all I get on that account is spam (mostly from the ISP itself... no, I *don't* want "Yahoo DSL", thanks :-)).

      The users who are most likely to be infected, on the other hand, are also likely to be the ones using Hotmail or something like that.
    • I don't think this is a good solution, anyway. The better solution is for ISP's to use SNORT or something else to real-time detect _outgoing_ viruses and worms from their own customers, and in response, send email to the customer warning them.

      Your "solution" assumes that all ISPs and everyone else with direct connections will do this checking. Fat chance. The only way that would happen would be if there was a large penalty for any ISP (or whoever) who allowed worms or viruses to spread out of their net

  • naturally excluding known large email servers

    Why are they excluded? If the admins can't do their god damned jobs and run a secured email server, why should they be coddled?
  • I've been doing this for a few weeks now and it works great. I run clamav to initially recognize the worms. I keep the blockage for a week, though, not 24 hours, and I block for just one worm, not two. This may explain why my numbers come out better than these virbl folks - before IP blacklisting, worms were using up almost half my 1.5 Mbps incoming bandwidth; now it's down to around 15%.
    • I just started doing something like this too. I 'tail -f' the maillog
      and have a simple perl script add any spammer / viral site into a pf
      (packet filter) table to block at the packet level. The maillog
      entries I look for are any rejections that look fishy (eg. mail to
      non-existent accounts, mail with MS attachments, mail from hosts with
      hostnames that contain ".dsl."/".cable.".

      In 7 days of operation I have accumulated ~20,000 machines that needed
      blocking and my spam-attempts have dropped from 7,000 per day t

  • If you're interested in this... (Score:3, Interesting)

    by gilgongo ( 57446 ) on Sunday June 06, 2004 @12:47PM (#9351061) Homepage Journal
    You might also have a look at Spam Cannibal [spamcannibal.org].

    It's in the same sort of area - and interesting proactive approach to spam, and potentially worms as well.

  • Here's a rather bad (and slightly humorous) babelfish translation of the site, but you can kind of get the gist... sort of...

    A number of Dutch providers has at present tested wormblokker on the basis of a vast database with contaminated pc.s this file for two weeks has been kept up BIT, provider business. In this database is see among others as from which ip-adres which virus is spread.

    Other providers can use this database to inform that their own customers their computer are contaminated and nuisanc

  • My ISP's approach... (Score:2, Interesting)

    by Cobron ( 712518 )
    I got this mail under linux which I was unsure it was legitimate or a virus. Not having ntfs support compiled in I mailed it to myself and rebooted to windows to scan it.
    Retrieving my mail I just got one: My ISP telling me I'm most likely infected and I noticed they blocked my access to their mailserver for about a day (I still was able to use http and such).
    I was quite impressed...

    ps: The ISP is Telenet (Belgium)

  • Problems? (Score:4, Insightful)

    by gmuslera ( 3436 ) on Sunday June 06, 2004 @01:20PM (#9351251) Homepage Journal
    • There are worms that don't have their own smtp engine. Ok, big mail servers are whitelisted, but what about small/medium mail servers? blocking entire mail servers because a single user of it is infected?
    • Modems/Dynamic IPs: an infected user uses an IP, gets blocked, and disconnects/gets another IP. The probably clean user that gets now the old IP gets also blocked. With enough ip rotation and certain percent of infected users you could end blocking entire ISPs (ok, the banning is only for 24 hours, but my ip rotation is every 12 hours, so i will surely hate if i can't do something if some clueless idiot got infected and blocked)
    • IP grouping: At least here internet cafes normally have one public IP for all computers, and that happens too even with companies with their entire traffic masqueraded thru one IP. If one gets infected (and eventually cleaned) the entire place is blocked
  • Many worms spread themselves by not sending emails directly but via configured email relays. The recipients will see them together with worm-relayed spam coming from ISP's email relays like smtp*.wanadoo.fr. Of course they can be blocked, too, but lots of legitimate emails would get rejected.

    OTOH with clueless ISPs like Wanadoo, their customers would suffer from severe delivery problems anyway and need to think about a third-party relay like a freemailer, or simply change ISP. But for this to occur, such

    • I work for BIT, the ISP who operates the virbl.

      In order to prevent collegue-ISP's relays to be blacklisted, we also have a whitelist containing a number of these relays. This list is available as nlwhitelist.dnsbl.bit.nl and can be fetched via AXFR. If you have questions, mail me in private.

  • Ahem (Score:3, Funny)

    by waldoj ( 8229 ) <waldo@@@jaquith...org> on Sunday June 06, 2004 @01:31PM (#9351306) Homepage Journal
    I proposed this 3.5 years ago on Advogato [216.239.41.104].

    Just calling it up, 'cuz I never get credit for nothin'. :)

    -Waldo Jaquith

  • Note to self: in order to permanently disable any dutch server (naturally excluding known large email servers) or client, send two Blaster UDP packets with spoofed source IP to one of a number of dutch ISPs using virbl.

    Seriously, this is truly amazing. I have never heard of any other DoS attack in history which would need sending only one IP packet every 12 hours. Even 20000x smurf amplifier on a class-B broadcast saturating the entire T3 I once saw looks like nothing compared to the possibilities of ex

  • We're doing something similar (Score:4, Informative)

    by bigberk ( 547360 ) <bigberk@users.pc9.org> on Sunday June 06, 2004 @02:58PM (#9351762)
    So, does anyone have useful remarks on why this may succeed or fail?
    The WPBL [pc9.org] is a very similar effort, using distributed spam sightings to block IPs. We focus on spam, while virbl specializes in viruses. I think they'll have good success provided their method of virus detection is very accurate. In our case, statistical bayesian-like filters help us get accurate spam sightings.
  • ...blocking me from getting all the moderator points I have earned from meta-moderating. (go ahead, mod it down, if you have the points)
  • So, does anyone have useful remarks on why this may succeed or fail?

    Yes. A simple fake IP will make a real havoc by denial of service of really big networks.
  • I am a dial-up user. Sometimes when I try to send email, I get a message from the SMTP server saying that my IP address is blocked from sending email because it's on a spam blacklist. Of course I'm not a spammer. All I have to do is to reconnect and I usually get a non blocked IP address and I can send email normally. I think you can avoid this thecnique the same way. Imagine the following scenario:

    1. A worm-infected b0x calls a dial-up server.
    2. Its IP address gets blocked.
    3. The same b0x reconnects and g
  • I have always thought that big central servers only make it easier to get around solutions. Think in terms of the homogeniety of Windows. Hopefully this will encourage a large number of small servers (home servers) that are not blocked, just for being on cable or dsl. Global Blockage should be based on worms or spam coming from a cracked system rather than from assumed guit.

    What is nice about this approach is that if somebodies system is blocked for being infected by a virus or worm, it will force these pp
  • This is an idea for an authentication system or system containing an
    authentication system. Your idea will not work. This is because it:

    [ ] Fails to establish a trustable connection to its end-user.
    [ ] Fails to establish a trustable connection from the end-user
    interface to a system with knowledge to do the authentication.
    [X] Fails to contain a system that may be trusted.
    [ ] Is not finely-grained enough to distinguish between some entities
    that should pass authentication and some that shouldn't.
    [
    • Your form letter, among others, fail to account for:
      - Worm bandwidth costs these companies a lot of money.
      - A partial solution is better than no solution. Morphine may not kill cancer cells but it sure as heck gives terminal patients some quality of life.
      - Fuck the lusers and their idiotic opinion, getting rid of users who detract from your other users' experience should be a priority in any sane company.
      Microsoft should be fined in proportion to the damage caused by these worms. That ought to teach them se
  • This sounds like what could be accomplished with port knocking, only, almost in reverse for already open ports. I imagine the port knocking software could be managed to do this for you.
  • First, the incorrect part: it's blocking machines sending trojans, not worms. It would help if slashdot (and the rest of the world) could learn the distinction.

    Second, this has been done with worms (not trojans, as in the article) for years, courtesy of DShield [dshield.org]. They provide a recommended blacklist of the top 20 attacking IPs [dshield.org].

  • They start getting all kinds of false positives. My ISP started injecting re-directs into http documents as they "thought" I had a worm. It turned out to be nothing more harmful than stray CIFs messages coming from a Samba server on my network. Even worse, even with the plug pulled out of the ADSL sockets, it was still managing to re-direct browser sessions from all boxes when viewing internal web servers! The only solution was to restart every web server on my network (and every browser window).

    All ve
  • Exactly where is this list of "known large email servers"? If someone can explain where or how such a list is generated I would be delighted to see it.
    • It's in the FAQ at http://virbl.bit.nl/faq.php

      [~] edwin@k7>dig @nsauth1.bit.nl nlwhitelist.dnsbl.bit.nl axfr

      ; <<>> DiG 9.2.3 <<>> @nsauth1.bit.nl nlwhitelist.dnsbl.bit.nl axfr
      ;; global options: printcmd
      nlwhitelist.dnsbl.bit.nl. 86400 IN SOA nsauth1.bit.nl. hostmaster.bit.nl. 2004060701 28800 7200 604800 86400
      nlwhitelist.dnsbl.bit.nl. 86400 IN NS nsauth1.bit.nl.
      nlwhitelist.dnsbl.bit.nl. 86400 IN NS nsauth2.bit.nl.
      nlwhitelist.dnsbl.bit.nl. 86400 IN NS nsauth3.bit.nl
  • Bah! Comcast has this down already. They just block ports 135-139 and 445 at the cable modem, so you're safe from most of the windows worms out there..

Slashdot Top Deals

One man's constant is another man's variable. -- A.J. Perlis

Close