Distributive Worm Blocking 162
wdebruij writes "According to
this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."
Security by shutdown? (Score:2, Interesting)
Whenever news of a worm is reported on Slashdot, the computer is locked down with the network connection halted, the disk drives unpowered, all processing stopped, and the video output suspsended. A nice side effect is that power consumption of the system is near zero when in this mode.
Re:Security by shutdown? (Score:5, Funny)
Re:Security by shutdown? (Score:2)
Whenever news of a worm is reported on Slashdot, the computer is locked down with the network connection halted, the disk drives unpowered, all processing stopped, and the video output suspsended. A nice side effect is that power consumption of the system is near zero when in this mode. "
I'd really like to have a few words with the guy who modded this 'Interesting'. His computer is probably off now, though.
Re:Security by shutdown? (Score:1)
Users have to make a https login in order to gain access to the intranet and internet from their home pc's. Once a worm or virus or any network distributed threat has been detected, the computer in question is revoked his access to the internet having routing rights only to a website containing some antivirus software and webmail. Also an e-mail with an explanation is sent to the e-mail address.
At this point this ne
Re:Security by shutdown? (Score:2)
Zegnar (Score:5, Insightful)
Re:Zegnar (Score:2, Interesting)
Re:Zegnar (Score:4, Interesting)
pain in the arse, but it could be useful if the same kind of thing was implemented if you were showing characteristics of running a worm, to redirect you to their free online virus scanner (or somebody elses). that way, you cant infect anybody else, but you can still use the online vius scanner to remove virus's (using an OCX).
this will carry on working, while nearly all worms are for windows. i imagine most people with other os's wouldn't get hit, not because of higher security neccessarily, but because they wouldn't spread well in a world where 90%+ boxes are windows, and even then, the less than 10% of boxes isn't one OS - there's mac, linux, free/open/net bsd, solaris, etc.
Re:Zegnar (Score:3, Interesting)
Re:Zegnar (Score:2, Insightful)
I still think its a step in the right direction though. It will keep users on their toes a little more, rather than hand feeding them the ease of operation that rots the brain. It puts responsibility where it should be, on the users, to keep their own(3d) machine from killing everyone elses.
"Armies of worm-ridden broadband-connected windows boxes", as one of the funniest posts I've ever read put it, are out there and are part of a problem so large the underlying cause is hard to see even though it
Re:Zegnar (Score:1)
a new denial of service attack (Score:5, Interesting)
It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).
Unfortunately I don't read Dutch; maybe they've thought of this already.
Re:a new denial of service attack (Score:2, Insightful)
Attacker signs up for an account with Foo ISP, and then intentionally sends five virus-attachment e-mails to Bar.com. Foo's e-mail servers are suddenly blocked from communicating with Bar.com... and any legit business can't be transacted by e-mail.
Re:a new denial of service attack (Score:5, Insightful)
Re:a new denial of service attack (Score:3, Insightful)
Re:a new denial of service attack (Score:2)
It doesn't look like it. And yes, I can read dutch. So this system, in theory, would be vulnerable to what you just described.
Then again, the ISP implementing this ( BIT ) is run by some very capable people. Adn even if they still manage to screw up, I could walk over there ( Considering BIT is in the same town as I am ) and throw a fit at them in person. Surely to be more effective then emailing and allot more fun, too...
Re:a new denial of service attack (Score:2)
Does this answer your question? (Quoting the article:)
Re:a new denial of service attack (Score:2, Insightful)
And what about small, relatively unknows isps? They will suffer for sure.
If this could be done, then all you would have to do against spam AND worms would be to use that great whitelist, and accept mail only from those "exlude known large email servers". v
Re:a new denial of service attack (Score:2, Funny)
The amount of stupid people outnumber the amount of any sensible life form. Therefore it will be impossible for people to protect themselves against people by the utilisation of people.
Maybe if you get an army of well trained monkeys and begin breeding them, we'll have a chance. However, that also raises the question whether the people capable to train monkeys and their trained monkey throughput can compare with the amout of new worms and fake addresses.
Dutch DOS (Score:1, Insightful)
Re:Dutch DOS (Score:5, Insightful)
Re:Dutch DOS (Score:1)
Re:Dutch DOS (Score:1)
Re:Dutch DOS (Score:1)
Frea Speach! (Score:5, Insightful)
Re:Frea Speach! (Score:2, Insightful)
Re:Frea Speach! (Score:2)
If MSN is not doing a good enough job on blocking worms/virus, then they should be blocked. They will change messages quickly.
This is a sensible thing to do but.... (Score:5, Insightful)
Re:This is a sensible thing to do but.... (Score:3, Insightful)
We already had this in the NL (Score:3, Funny)
We already have a system based on killing your internet access whenever you do something stupid. We call it "Chello" and being subscribed to it is considered very stupid/ A viscious, though effective, circle.
I don't hate my ISP. Not at all. I love my cable internet with upload speeds that would make an ISDN user laugh...
We use a similar concept @ work (Score:5, Informative)
Re:We use a similar concept @ work (Score:2, Insightful)
Re:We use a similar concept @ work (Score:2, Interesting)
Re:We use a similar concept @ work (Score:3, Interesting)
Staying virus free isn't tough, even without a virus scanner on the system it is easy, but first you must have some common sense when it comes
Re:We use a similar concept @ work (Score:5, Insightful)
And how exactly do you know there have been zero infections.. without a virus scanner? Or is the machine not connected to the 'net?
Re:We use a similar concept @ work (Score:2)
That doesn't mean they couldn't use web based scanning like Trend Micro and Panda Softwares online scanners.
Re:We use a similar concept @ work (Score:3, Informative)
But, I know what is running on the machine as well, I know it is stable and I know there isn't some background task eating up the resources, I reboot her machine for her maybe once a month and it sits running 24/7.
Now to be clear, her computer sits on a NAT network so it is not publically accessable, but hey, when I sell someone a comp
Re:We use a similar concept @ work (Score:2)
That's like saying you don't need to wear a condom to keep yourself STD-free, all it takes is "some common sense" about whom you sleep with, keeping yourself innoculated, etc.
I've run a full-time AV suite for years, and 99.9% of the time it sits there eating my resources
Re:We use a similar concept @ work (Score:2)
Considering I have never had a virus infection caused data loss I was a tad bit peeved to have the freaking solution to viruses delete the data instead.
Like I said, no virus infections here and no resident scanner running, and this from a guy who has been using online services since 1988 or so.
So just what has convinced you that you need that full
Re:We use a similar concept @ work (Score:2)
I have lots of friends, that send me all kinds of links over IM.. the sites that host the videos/flash animations/etc are generally hosting much more then that. Not only am I running a resident AV scanner (I run Norton, but AVG is good too, stay away from McCrappy), I've switched to FireFox (IE kept "growing" new search toolbars, it was getting to be a hassle) and I'm ru
Re:We use a similar concept @ work (Score:3, Interesting)
Then how do you know there are no viruses on the machine? Malware doesn't have to be obvious when it's running.
Re:We use a similar concept @ work (Score:1)
HOW You know shes not infected ^_^
Reduces the value of spam spewing owned boxen (Score:4, Insightful)
This tech does not preclude malaciously-motivated viruses, but it does reduce the profit potential of creating spam networks.
IP Spoofing (Score:1, Interesting)
Re:IP Spoofing (Score:2, Informative)
The blocking is based on actually sending emails through this server which will require a complete TCP handshake.
Re:IP Spoofing (Score:1)
Re:IP Spoofing (Score:2, Informative)
Re:IP Spoofing (Score:2, Informative)
With DoS attacks, you don't need to have a conversation/connection with the other end, you just drown the other end in packets. But to get a TCP connection, both sides have to exchange packets with a hard-to-spoof sequence number. If you spoof the IP address, you won't get the respose to your initial request because it was routed to the IP address that was spoofed. (I'll skip request and reflection attacks here.)
So, without establishing a two-way TCP connection, there
Spamhaus (Score:5, Insightful)
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso [spamhaus.org]
The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.
Re:Spamhaus (Score:2, Informative)
Re:Spamhaus (Score:2)
There is one minor difference: the XBL seems to be targeting systems that relay spam mail, while the VIRBL targets systems that are actively spreading a mail virus/worm.
Because most of these viruses are spread with the goal of opening the victim systems as a spam relay, there will be many duplicates between those lists.
Translation for non-Dutchies (Score:5, Informative)
A database with infected pc's is the foundation of an ambitions project that should reduce the flood of virus emails
A number of Dutch providers is currently testing a worm blocker based on an extensive database of infected pc's. This file has been kept up-to-date since 2 weeks ago by BIT, a provider for businesses. In this database, amongst other things, is visible from which IP address which virus is being spread.
Other providers can use this database to inform their own customers that their computer is infected and bothering other people, explains Alex Bik of BIT. Self-propagating viruses (worms) are causing more and more trouble, both to private users and providers.
BIT itself has been using the automatic blacklist-system since last week, to protect their customers against the ever growing stream of virus mails. By now, a large number of Dutch [internet] providers, including XS4ALL, Zonnet and IS Internet Services, also have access to the data.
Port 25
In its database, BIT keeps track from which IP addresses virus mails are sent. This sending [of emails] often takes place directly via port 25 from infected computers. As soon as more than 2 infected emails arrive at BIT within 25 hours, the IP address is blacklisted for 24 hours. However, the ip-addresses of mail servers of known providers are not added to the database.
Chello tops the list
The list shows that other providers, too, can benefit from the blacklist. Customers of Chello, Tiscali and @home top the list of major virus spreaders (over 1000 virus emails). The topper is an ip-address at Tiscali, from which as much as 12000 sober G-mails have been sent.
In total, Chello leads with over 27000 sent virus mails with the 25 main 'spreaders', followed by Tiscali (almost 23000), @home (almost 20000), Wanadoo (over 14000), HCCnet (almost 13000) and Planet [internet] (almost 12000).
Re:Translation for non-Dutchies (Score:2)
Quick Translation of the article (Score:1, Informative)
a extensive database with infected pc's. This database is currently
being managed by BIT ISP. This databases contains ip-numbers of the
pc's that are infected and spreading viruses.
Other providers can use the database for their own customers to warn
them that their pc is infected. BIT uses the database for automatic
blacklisting and firewalling to protect their customers. It records from
which pc's viruses are send (which usually occur by e-mai
Tech support (Score:3, Insightful)
"You been virusing people, sending spam and being a git."
"No I haven't..."
I don't want to be that tech support guy because this is will happen and often.
Re:Tech support (Score:1)
other alternatives to stopping worms (Score:3, Interesting)
Worms or pretend-worms? (Score:1)
dynamic IP addresses (Score:4, Insightful)
Sorry to hear if you're on a dynamic IP address: be prepared for intermittent connectivity to peers in said networks running this technology.
I don't think this is a good solution, anyway. The better solution is for ISP's to use SNORT or something else to real-time detect _outgoing_ viruses and worms from their own customers, and in response, send email to the customer warning them.
This has a number of benefits: i.e. it actively works towards the source of the problem, not just "blocking" the problem out.
Re:dynamic IP addresses (Score:2)
I don't use my ISP email account because I prefer having control of my own mail. Also, all I get on that account is spam (mostly from the ISP itself... no, I *don't* want "Yahoo DSL", thanks
The users who are most likely to be infected, on the other hand, are also likely to be the ones using Hotmail or something like that.
Re:dynamic IP addresses (Score:2)
Your "solution" assumes that all ISPs and everyone else with direct connections will do this checking. Fat chance. The only way that would happen would be if there was a large penalty for any ISP (or whoever) who allowed worms or viruses to spread out of their net
Wait, why not email servers? (Score:2)
Why are they excluded? If the admins can't do their god damned jobs and run a secured email server, why should they be coddled?
Re:Wait, why not email servers? (Score:2)
Re:Wait, why not email servers? (Score:2)
Re:Wait, why not email servers? (Score:2)
Worm blocking by IP address (Score:2, Informative)
Re:Worm blocking by IP address (Score:2, Interesting)
and have a simple perl script add any spammer / viral site into a pf
(packet filter) table to block at the packet level. The maillog
entries I look for are any rejections that look fishy (eg. mail to
non-existent accounts, mail with MS attachments, mail from hosts with
hostnames that contain ".dsl."/".cable.".
In 7 days of operation I have accumulated ~20,000 machines that needed
blocking and my spam-attempts have dropped from 7,000 per day t
If you're interested in this... (Score:3, Interesting)
It's in the same sort of area - and interesting proactive approach to spam, and potentially worms as well.
Babelfish Translation (Score:1)
A number of Dutch providers has at present tested wormblokker on the basis of a vast database with contaminated pc.s this file for two weeks has been kept up BIT, provider business. In this database is see among others as from which ip-adres which virus is spread.
Other providers can use this database to inform that their own customers their computer are contaminated and nuisanc
My ISP's approach... (Score:2, Interesting)
Retrieving my mail I just got one: My ISP telling me I'm most likely infected and I noticed they blocked my access to their mailserver for about a day (I still was able to use http and such).
I was quite impressed...
ps: The ISP is Telenet (Belgium)
Problems? (Score:4, Insightful)
What about worms sent via ISP's email relays? (Score:2)
OTOH with clueless ISPs like Wanadoo, their customers would suffer from severe delivery problems anyway and need to think about a third-party relay like a freemailer, or simply change ISP. But for this to occur, such
Re:What about worms sent via ISP's email relays? (Score:2)
In order to prevent collegue-ISP's relays to be blacklisted, we also have a whitelist containing a number of these relays. This list is available as nlwhitelist.dnsbl.bit.nl and can be fetched via AXFR. If you have questions, mail me in private.
Ahem (Score:3, Funny)
Just calling it up, 'cuz I never get credit for nothin'.
-Waldo Jaquith
Amazing (Score:1)
Note to self: in order to permanently disable any dutch server (naturally excluding known large email servers) or client, send two Blaster UDP packets with spoofed source IP to one of a number of dutch ISPs using virbl.
Seriously, this is truly amazing. I have never heard of any other DoS attack in history which would need sending only one IP packet every 12 hours. Even 20000x smurf amplifier on a class-B broadcast saturating the entire T3 I once saw looks like nothing compared to the possibilities of ex
We're doing something similar (Score:4, Informative)
Obviously DWB is at work... (Score:2)
Not so clever idea for project... (Score:1)
Yes. A simple fake IP will make a real havoc by denial of service of really big networks.
I don't think this thecnique is effective. (Score:2, Interesting)
1. A worm-infected b0x calls a dial-up server.
2. Its IP address gets blocked.
3. The same b0x reconnects and g
Re:I don't think this thecnique is effective. (Score:2, Informative)
You have to block the user's access!
Every computer is provided with an account to connect.. and yes, there is a thing called MAC address.
Better than anything else. (Score:2)
What is nice about this approach is that if somebodies system is blocked for being infected by a virus or worm, it will force these pp
Form letter (Score:2)
authentication system. Your idea will not work. This is because it:
[ ] Fails to establish a trustable connection to its end-user.
[ ] Fails to establish a trustable connection from the end-user
interface to a system with knowledge to do the authentication.
[X] Fails to contain a system that may be trusted.
[ ] Is not finely-grained enough to distinguish between some entities
that should pass authentication and some that shouldn't.
[
Re:Form letter (Score:2)
- Worm bandwidth costs these companies a lot of money.
- A partial solution is better than no solution. Morphine may not kill cancer cells but it sure as heck gives terminal patients some quality of life.
- Fuck the lusers and their idiotic opinion, getting rid of users who detract from your other users' experience should be a priority in any sane company.
Microsoft should be fined in proportion to the damage caused by these worms. That ought to teach them se
Extension of Port Knocking (Score:2)
Ancient (and incorrect) news (Score:2)
Second, this has been done with worms (not trojans, as in the article) for years, courtesy of DShield [dshield.org]. They provide a recommended blacklist of the top 20 attacking IPs [dshield.org].
This is great until.. (Score:2)
All ve
naturally excluding known large email servers? (Score:2)
Re: naturally excluding known large email servers? (Score:2)
[~] edwin@k7>dig @nsauth1.bit.nl nlwhitelist.dnsbl.bit.nl axfr
; <<>> DiG 9.2.3 <<>> @nsauth1.bit.nl nlwhitelist.dnsbl.bit.nl axfr
;; global options: printcmd
nlwhitelist.dnsbl.bit.nl. 86400 IN SOA nsauth1.bit.nl. hostmaster.bit.nl. 2004060701 28800 7200 604800 86400
nlwhitelist.dnsbl.bit.nl. 86400 IN NS nsauth1.bit.nl.
nlwhitelist.dnsbl.bit.nl. 86400 IN NS nsauth2.bit.nl.
nlwhitelist.dnsbl.bit.nl. 86400 IN NS nsauth3.bit.nl
Re: naturally excluding known large email servers? (Score:2)
Yes, I should have been more specific. I was expecting they had a massive listing of known "legitimate" servers worldwide.
Whitelisting known large email servers would seem like a rather daunting task.
Re: naturally excluding known large email servers? (Score:2)
Well that's not really needed since they're only monitoring the dutch IP space, so they only need the mail servers in that IP space.
Comcast & port blocking (Score:2)
Re:Not gonna work! (Score:3, Informative)
The program provides a list of ip addresses to block email from. It doesn't only target dutch isp customers email, it allows email from known virus offenders to be blocked.
Also in the faq for the program, a dutch ISP can apply to be whitelisted.
So how does this constitute locking down their customers?
In addition, do ISPs want virus spreading customers?
Re:Not gonna work! (Score:2)
But the story will be the same as RBL lists for e-mail servers.
Also in the faq for the program, a dutch ISP can apply to be whitelisted.
What about people???
So how does this constitute locking down their customers?
So, do you really know who sent you virus??? Then, you are the only one on this world.
RBLs don't work (at least without constant help of admin). Reason? Some admins are incompetent and they allow spam without knowing. Company gets reported and b
Re:Not gonna work! (Score:2)
It worked wonders...I got the job of installing Symantec Antivirus Corporate and doing Windows Update on the computers that didn't have it yet. Now they schedule a day about once a month when all laptops are to be plugged into the network at once to make sure they are updated.
Used
Re:That's not security, that's stupidity. (Score:5, Informative)
Furthermore a bot-created smtp will trigger the protection quick enough so it won't be able to send much. Personally I doubt it will backfire, but maybe there's some place for improvements, time will tell.
(When I have some free time I'll try to translate the article in readable english
Re:That's not security, that's stupidity. (Score:2)
E-mail servers are trying to use SPF now (RBLs have been proclaimed as "TOO MANY FALSE POSITIVES, AND TOO LITTLE TRUE NEGATIVES"), which in fact is solution from the other side (in my opinion even worster, because it demands to many admin control for SPF to work as it should)
Re:That's not security, that's stupidity. (Score:1)
Whenever their mailservers scan a virus/worm, a script scans the mailheaders to see where it originated, and that ip is blocked. The ISP blocking problem is solved by putting ISPs on a whitelist.
Under attack it depends if the worm has it's own SMTP engine. Most new ones have, I guess. If it would be sent through an ISP MTA whic
Re:not going to work (Score:3, Interesting)
Re:not going to work (Score:2)
Re:Grammar and Spell Check Please (Score:1)