Slashdot Mirror
Distributive Worm Blocking
wdebruij writes "According to
this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."
I've got it the ultimate virus aquisition prevention system...
Whenever news of a worm is reported on Slashdot, the computer is locked down with the network connection halted, the disk drives unpowered, all processing stopped, and the video output suspsended. A nice side effect is that power consumption of the system is near zero when in this mode.
Here is progress - still I imagine many companies will leave things as they are just to avoid having to deal with irate calls to the helpdesk, and carry on broadcasting viruses to the world. Collective defense is fine until it costs money.
This will absolutely backfire under attack... during a virus crisis ISP mail servers will instantly get locked out after using their allotted virus attempts. However, a bot-created SMTP server will have a clean record and be allowed to send a few of its attacks through.
Good messages thrown away, bad messages allowed through... this isn't going to get much done.
It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).
Unfortunately I don't read Dutch; maybe they've thought of this already.
Am I part of the core demographic for Swedish Fish?
I making this up completely, but will this lead to denial of service attacks using ip spoofing techniques?
Did you even think about reading the article?
The program provides a list of ip addresses to block email from. It doesn't only target dutch isp customers email, it allows email from known virus offenders to be blocked.
Also in the faq for the program, a dutch ISP can apply to be whitelisted.
So how does this constitute locking down their customers?
In addition, do ISPs want virus spreading customers?
ah, mod points
The same people who complain when their ISP is blocked for sending spam will (no doubt) complain that this blocks their constitutional right to run an infested box on the Internet--complete with examples of how innocent people will be hurt by this. (Hmm, how about DHCP dynamic addresses?)
One line blog. I hear that they're called Twitters now.
how do users then download the patches to deal with the infection? Not everyone on the internet is computer literate; will the ISPs provide some help to these people?
Server based computing is the only way to prevent this crap the way the "internet" is now designed.
We already have a system based on killing your internet access whenever you do something stupid. We call it "Chello" and being subscribed to it is considered very stupid/ A viscious, though effective, circle.
I don't hate my ISP. Not at all. I love my cable internet with upload speeds that would make an ISDN user laugh...
Infected machines are locked out of the network entirely. Getting the machines reconnected is a fairly lengthy process and users have become *much* more interested in allowing field techs to patch machines since the lockdown process was initiated. We push patches out remotely so only 5% or so of the machines ever need to be manually patched. We also scan our subnet daily for vulnerable machines and proactively patch any machines that turn up that way. Personal laptops were a problem (briefly) but after an incident at another location where the offfending user was terminated folks have gotten the message that it is not OK to attach non company owned computers to the network.
Technology such as this reduces the value of virus-created owned boxes. The creators of viruses that want to create spam-spewing machines would find their spam spewer useless. During the infection phase, the virus-spreading emails would get the infected box tagged and blocked. During the usage phase, the virus-creator/spam sender would find that the owned box is useless because all the messages get blocked.
This tech does not preclude malaciously-motivated viruses, but it does reduce the profit potential of creating spam networks.
Two wrongs don't make a right, but three lefts do.
Yeah, I did. RBLs for known virus offenders.
But the story will be the same as RBL lists for e-mail servers.
Also in the faq for the program, a dutch ISP can apply to be whitelisted.
What about people???
So how does this constitute locking down their customers?
So, do you really know who sent you virus??? Then, you are the only one on this world.
RBLs don't work (at least without constant help of admin). Reason? Some admins are incompetent and they allow spam without knowing. Company gets reported and blocked. But there are other people that do depend on communication with *Spammer-Company* and would allow their mail servers to process their messages. Even I had to whitelist such companies for at least 10 times.
In addition, do ISPs want virus spreading customers?
In addition, does customer wants ISP that's blocking him to get to the net? NO!
Imagine a little bit that you own a company and you depend on e-mail. Does this company want such ISP??? NO! I just imagine you running to the neighboor to send urgent mail, because you had worm and now you're blocked.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
If you IP spoof and send a virus to one of the servers using this technology, you could pretty much get every IP in the world blocked. That is a very Bad Thing (TM)
got sig?
Didn't Spamhaus recently launch the pretty much the same service called the XBL?
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso
The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.
Chello en Tiscali top-spreaders of viruses
A database with infected pc's is the foundation of an ambitions project that should reduce the flood of virus emails
A number of Dutch providers is currently testing a worm blocker based on an extensive database of infected pc's. This file has been kept up-to-date since 2 weeks ago by BIT, a provider for businesses. In this database, amongst other things, is visible from which IP address which virus is being spread.
Other providers can use this database to inform their own customers that their computer is infected and bothering other people, explains Alex Bik of BIT. Self-propagating viruses (worms) are causing more and more trouble, both to private users and providers.
BIT itself has been using the automatic blacklist-system since last week, to protect their customers against the ever growing stream of virus mails. By now, a large number of Dutch [internet] providers, including XS4ALL, Zonnet and IS Internet Services, also have access to the data.
Port 25
In its database, BIT keeps track from which IP addresses virus mails are sent. This sending [of emails] often takes place directly via port 25 from infected computers. As soon as more than 2 infected emails arrive at BIT within 25 hours, the IP address is blacklisted for 24 hours. However, the ip-addresses of mail servers of known providers are not added to the database.
Chello tops the list
The list shows that other providers, too, can benefit from the blacklist. Customers of Chello, Tiscali and @home top the list of major virus spreaders (over 1000 virus emails). The topper is an ip-address at Tiscali, from which as much as 12000 sober G-mails have been sent.
In total, Chello leads with over 27000 sent virus mails with the 25 main 'spreaders', followed by Tiscali (almost 23000), @home (almost 20000), Wanadoo (over 14000), HCCnet (almost 13000) and Planet [internet] (almost 12000).
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
A number of Dutch ISPs are currently testing a worm-blocker based on
a extensive database with infected pc's. This database is currently
being managed by BIT ISP. This databases contains ip-numbers of the
pc's that are infected and spreading viruses.
Other providers can use the database for their own customers to warn
them that their pc is infected. BIT uses the database for automatic
blacklisting and firewalling to protect their customers. It records from
which pc's viruses are send (which usually occur by e-mail spreading).
When at least 2 mails have been tagged as a virus the ip is blacklisted
for 24 hours. The call this service: VIRBL.
"I can't send a file to my friend or even get to some website, whats wrong with my PC?"
"You been virusing people, sending spam and being a git."
"No I haven't..."
I don't want to be that tech support guy because this is will happen and often.
--- [Insert intresting Sig here]
Uh, the guy is dutch. Make sure you are a perfect dutch speaker before calling him a pissant. Thaaank you.
I have been doing a high school science research class project on stopping the spreading of internet-borne worms though analysis of epidemic models and such. I have come across many different methods for stopping the distribution of vulnerability-based worms, so I'll share here (in order from most innovative to most obvious): First, a very ingenious method coming from Dartmouth's Institute for Security Technology Studies. They propose a method called monitoring the internet for plumes of ICMP unreachable messages. Software is installed on routers which records the ICMP unreachable messages being sent and sends data every once in a while to a central server which analyzes the data and sees which things are probably random-scanning worms. This is probably the best idea I've seen yet, but most likely the hardest to implement (as router software is usually tried to keep air-tight). The bad ports and such would then be filtered or turned off as appropriate. A second method which may have been talked about on here or not is "good" worms. Worms which sit around and listen for worm data would then send a copy of itself from the computer which was scanning them, therefore fixing another hole and having that computer be another "good" computer. The bad thing with this is that it will only really work when the worm is at its peak, when damage has already been done. It would be useful for cleanup, but of course there are issues with privacy and control would be rampant. Another "solution" is getting users to install firewalls and anti-virus software but thats a more obvious and hard to implement solution. I am modeling all of these possibilities using a mathematical model for epidemics, and seeing where which one would theoretically be most useful and such, and I'll take a look at the method used in the article.
Im confused (didnt RTFA) are they blocking real worms or VB-script outlook worms? because calling a VB-script outlook worm a worm is like calling a kid with a water-gun a crazed psychopathic killer. Microsoft could have solved every single VB-script 'worm' with about 4 lines of code.
This comment does not represent the views or opinions of the user.
Sorry to hear if you're on a dynamic IP address: be prepared for intermittent connectivity to peers in said networks running this technology.
I don't think this is a good solution, anyway. The better solution is for ISP's to use SNORT or something else to real-time detect _outgoing_ viruses and worms from their own customers, and in response, send email to the customer warning them.
This has a number of benefits: i.e. it actively works towards the source of the problem, not just "blocking" the problem out.
I wonder if they exchange data with
DShield.org or the Internet Storm Center (isc.sans.org). These two sites are my primary sources for information like that, and of course serve as "sinks" for all my firewall logs.
...the way they used to be architected before the popularity of the Internet came along?
naturally excluding known large email servers
Why are they excluded? If the admins can't do their god damned jobs and run a secured email server, why should they be coddled?
Mod me down with all of your hatred and your journey towards the dark side will be complete!
I've been doing this for a few weeks now and it works great. I run clamav to initially recognize the worms. I keep the blockage for a week, though, not 24 hours, and I block for just one worm, not two. This may explain why my numbers come out better than these virbl folks - before IP blacklisting, worms were using up almost half my 1.5 Mbps incoming bandwidth; now it's down to around 15%.
This will scan all email for viruses AND everything else.
The only thing new in this world is the history that you don't know.[Harry Truman]
...a number of dutch ISPs are bundling there forces to fight the spread of worms.
...a number of Dutch ISPs are bundling their forces to fight the spread of worms.
Please, editors, screen the articles for these kinds of annoying and sophmoric errors.
You might also have a look at Spam Cannibal.
It's in the same sort of area - and interesting proactive approach to spam, and potentially worms as well.
"And the meaning of words; when they cease to function; when will it start worrying you?"
Here's a rather bad (and slightly humorous) babelfish translation of the site, but you can kind of get the gist... sort of...
A number of Dutch providers has at present tested wormblokker on the basis of a vast database with contaminated pc.s this file for two weeks has been kept up BIT, provider business. In this database is see among others as from which ip-adres which virus is spread.
Other providers can use this database to inform that their own customers their computer are contaminated and nuisance ensures, thus explains Alex chip of BIT . Themselves spreading viruses (maggots) appear ensure more and more nuisance, both at individuals and at providers.
BIT itself has had to the automatic blacklist system since last week in use its protect customers against the always larger becoming flow to virus mails. Also a number of other Dutch providers, among which XS4ALL, Zonnet ARE and Interned services, have meanwhile the arrangement concerning the data.
Port 25 BIT keeps up in its database as from which ip-adressen are virusmailtjes sent. This sends frequently directly place finds by means of poort 25 as from contaminated computers. As soon as there within 24 hours more than two contaminated mailtjes at BIT, ip-adres in the blacklist come in are put for 24 hours. Ip-adressen of the mail servers of well-known providers are not put moreover in the database.
This system, baptised by the bed cherry VIRBL, after setting-up direct result has had, thus puts chip. The mail servers of BIT have been considerably relieved meanwhile already. Also Internet services IS is enthusiastically and calls the result ' staggeringly '. The provider use the list of BIT to relieve its mail server. Moreover customers are informed if she contaminates prove be.
Chello to top From the list becomes clear that providers also other can from the blacklist. At the diffusers (more than thousand virusmailtjes) customers of the providers Chello, Tiscali and @Home dominate. By is ip-adres at Tiscali, waarvandaan no less than wide twaalfduizend sober G-mailtjes has been sent.
In sum the crown (with wide 27,000 sent virusmailtjes at the 25 largest diffusers) stretches Chello, followed by Tiscali (almost 23.000), @Home (almost 20.000), Wanadoo (more than 14.000), HCCnet (almost 13.000) and Planet (almost 12.000).
I got this mail under linux which I was unsure it was legitimate or a virus. Not having ntfs support compiled in I mailed it to myself and rebooted to windows to scan it.
Retrieving my mail I just got one: My ISP telling me I'm most likely infected and I noticed they blocked my access to their mailserver for about a day (I still was able to use http and such).
I was quite impressed...
ps: The ISP is Telenet (Belgium)
bundling "there" forces?
Here we go again. someone couldn't take thirty seconds to proofread their posting.
There's already a lot of real-time monitoring of Internet attack traffic. How about a system where any IP address that generates Windows Networking traffic on the Internet gets its IP put into a DNS RBL automatically, and you can block based on that?
Okay, so yea, parent is a troll, but he's completely correct. Shutdowns of this sort will cut out the big providers in a matter of minutes after the outbreak of a decent-sized worm. It takes no imagination to picture the response of the consumer who finds out that he can't get mail, or access a website. He's not going to care that it "improves his security/quality of service." All he's going to see is that his provider sucks, because it's not doing what he wants it to.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
OTOH with clueless ISPs like Wanadoo, their customers would suffer from severe delivery problems anyway and need to think about a third-party relay like a freemailer, or simply change ISP. But for this to occur, such worm-spitting relays would have to be blocked by a large number of correspondents and not only by a few individual admins. Only widely-used DNSBLs like SBL or SPEWS would be able to make Wanaspew work on their problems, not a new and barely known blacklist.
I proposed this 3.5 years ago on Advogato.
:)
Just calling it up, 'cuz I never get credit for nothin'.
-Waldo Jaquith
George Bush ought to be ousted for lying to the American people
Dubbya wasn't even elected...
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
The rest of his post is fine. I think the mistake was just a typo. No reason to get upset and fly off the handle. Chill out a little.
Note to self: in order to permanently disable any dutch server (naturally excluding known large email servers) or client, send two Blaster UDP packets with spoofed source IP to one of a number of dutch ISPs using virbl.
Seriously, this is truly amazing. I have never heard of any other DoS attack in history which would need sending only one IP packet every 12 hours. Even 20000x smurf amplifier on a class-B broadcast saturating the entire T3 I once saw looks like nothing compared to the possibilities of exploiting this "worm blocking" system, which is much easier, cleaner and quieter than anything I have seen before. Truly amazing.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Where I work we have business DSL with a small ISP. In the past a laptop or two on the network have gotten worms. They just plain disconnected us from the net until we gave them reasonable evidence that the worm had been removed.
It worked wonders...I got the job of installing Symantec Antivirus Corporate and doing Windows Update on the computers that didn't have it yet. Now they schedule a day about once a month when all laptops are to be plugged into the network at once to make sure they are updated.
Used to have our laptops hit hard when we plugged into the local college network, but no problems now.
...blocking me from getting all the moderator points I have earned from meta-moderating. (go ahead, mod it down, if you have the points)
Use your head, can't you, use your head,
You're on earth, there's no cure for that - S. Beckett
Won't bother explaining why it's stupid, the rest of Slashdot has already done so.
This has served my mail well.
So, does anyone have useful remarks on why this may succeed or fail?
Yes. A simple fake IP will make a real havoc by denial of service of really big networks.
There you are, staring at me again.
Running a defict is good,
Reagan sucessfully controlled and brought down the Carter-era inflation rocketship.
Illegally trading drugs to fund arm sales to puppet dictatorships
Not illegal and was doing what he could to promote freedom abroad
Lying about one's involvment ("I don't recall")
Unfounded. Please cite.
Trees cause pollution
Unfounded. Please cite.
Funding a crazy, pie-in-the-sky "defense" programme that doesn't work.
Its spelled program and his program, even if a bit quirky in some respects, brought down the Soviet Union.
Presiding over recession, caused by your own voodoo economic programmes
You are an economic ignoramous. The Regan-era economics kept inflation in check and kept the economy from worsening in the long run.
I am a dial-up user. Sometimes when I try to send email, I get a message from the SMTP server saying that my IP address is blocked from sending email because it's on a spam blacklist. Of course I'm not a spammer. All I have to do is to reconnect and I usually get a non blocked IP address and I can send email normally. I think you can avoid this thecnique the same way. Imagine the following scenario:
1. A worm-infected b0x calls a dial-up server.
2. Its IP address gets blocked.
3. The same b0x reconnects and gets a non blocked address and gets blocked again
4. GOTO 2.
5. Another user with a non-infected b0x calls the dial up server and his IP address is blocked by the previous worm-infected b0x with that address.
Maybe the whole dial-up IP pool could get blocked.
-- When did Ignorance Become a Point of View?
I have always thought that big central servers only make it easier to get around solutions. Think in terms of the homogeniety of Windows. Hopefully this will encourage a large number of small servers (home servers) that are not blocked, just for being on cable or dsl. Global Blockage should be based on worms or spam coming from a cracked system rather than from assumed guit.
What is nice about this approach is that if somebodies system is blocked for being infected by a virus or worm, it will force these ppl to take care of the problem.
I prefer the "u" in honour as it seems to be missing these days.
This is an idea for an authentication system or system containing an
authentication system. Your idea will not work. This is because it:
[ ] Fails to establish a trustable connection to its end-user.
[ ] Fails to establish a trustable connection from the end-user
interface to a system with knowledge to do the authentication.
[X] Fails to contain a system that may be trusted.
[ ] Is not finely-grained enough to distinguish between some entities
that should pass authentication and some that shouldn't.
[ ] Exposes data that should not be exposed.
[X] May be easily DoSed.
[ ] Will not be accepted by government.
[X] Will not be accepted by end users.
[X] Has an unacceptable degree of false positives.
[ ] Has an unacceptable degree of false negatives.
[ ] Prevents operation of necessary functionality.
[ ] Has the potential to fail catastrophically.
[ ] Is too hard to implement.
Specifically, your suggestion fails to account for:
[ ] Providing a *trustable* store for the system's authentication data.
[ ] Brute-force attacks.
[X] The fact that IP packet source addresses may be trivially forged.
[ ] The fact that everyone within the population must use this system
properly to keep it working properly.
[ ] The fact that it requires end-users to go through more effort than
they will be willing to undertake to use it.
[X] Security breeches may not be easily repaired.
[ ] CPU power available to attack your solution.
[ ] Laws prohibiting implementation of your solution.
[X] Asshats.
[ ] Limited human memory.
[ ] Small/portable devices.
[ ] Willingness of the entity being authenticated to to ignore
authentication failures.
[ ] Windows.
[ ] Willingness of users to bypass authentication systems.
[ ] Ability of technically skilled hackers to distribute easy-to-use
attacks on the system.
[ ] User resistance to social change.
[ ] Allowing entities other than the authenticating entity to
determine associations between multiple identities that should be
unassociated.
[ ] Your blacklists do not scale to the necessary size.
[ ] The need for implementation to be phased in.
[X] Tainted authentication databases.
And the following philosophical objections may also apply:
[ ] Attempts to establish an artificial monopoly.
[X] Ideas similar to yours are easy to come up with, yet none have
ever been shown practical.
[ ] Any system that allows complete government monitoring of behavior is
unacceptable.
[ ] Any system that allows complete corporate monitoring of behavior is
unacceptable.
[ ] Authentication systems should use technical solutions rather than
legislative solutions.
[ ] Biometrics suck.
[X] Why should we have to trust you and your servers?
[ ] Incompatibility with open source or open source licenses.
[X] Feel-good measures do nothing to solve the problem.
[ ] I don't want people monitoring me.
Furthermore, this is what I think about you:
[ ] Sorry dude, but I don't think it would work.
[ ] This is a stupid idea, and you're a stupid person for suggesting
it.
[X] If you had bothered to ask anyone with any security knowledge
first, your idea would have been immediately shot down.
May we never see th
This sounds like what could be accomplished with port knocking, only, almost in reverse for already open ports. I imagine the port knocking software could be managed to do this for you.
YOU'RE WINNER !
Another lame blog
something..
With great power comes great electricity bills.
This story is bullshit.
Second, this has been done with worms (not trojans, as in the article) for years, courtesy of DShield. They provide a recommended blacklist of the top 20 attacking IPs.
They start getting all kinds of false positives. My ISP started injecting re-directs into http documents as they "thought" I had a worm. It turned out to be nothing more harmful than stray CIFs messages coming from a Samba server on my network. Even worse, even with the plug pulled out of the ADSL sockets, it was still managing to re-direct browser sessions from all boxes when viewing internal web servers! The only solution was to restart every web server on my network (and every browser window).
All very clever, but a bit drastic. After all, we'd all be very secure from worms if we just chopped the plugs off the power leads, but somehow I think the solution lacks soemthing.
Before...when some moron released yet another virus, the internet became slow, NOW when some moron releases yet another virus, large portions of the internet get blacked out...great work guy's!
Implementation of NX bit support in Linux makes a WHOLE LOT more sense to me.
Exactly where is this list of "known large email servers"? If someone can explain where or how such a list is generated I would be delighted to see it.
http://fudge.org
It appears that this system, by whitelisting major ISPs name servers, would unfairly permit traffic from large ISPs who didn't filter their customers outgoing email for viruses while blocking traffic from small ISPs and company mail servers which had a single infected user.
As I understand it, this looks at the IP address of the machine transmitting the virus to an ISPs inbound mail filters, which is rarely the infected machine (particularly if your mail server is using
one of the blacklists to block dialup/cable/dsl users). So, unless you are trying to force ISPs to filter their outgoing mail, this is a complete failure (and if you are trying to force outbound filtering then major ISPs should definitely not be excluded from blocking).
If you want to cut the load on your virus filters, you can look at the Received: lines in the smtp headers for IP addresses and quickly lookup the ratio of good to bad mail from those addresses.
If any of the "Received:" lines has a high bad to good ratio (with expiration), then you block. However, the possibility of forged "Received:" lines implicating an innocent site are a concern.
Mailing lists also complicate processing of Received: lines. This could be what the
system is already doing, but the descriptions
here and on the virbl site are exceedingly vague.
Still leaves a lot to be desired.
A much less invasive virus scanning optimization would be to program your virus scanner to try check for particular worms first based on the last worm received from each IP address in the received
lines. Then check those worms which have been getting a lot of hits lately and finally check the
rest of the virus database. This way, for infected messages you will only need to check less than 1% of the database.
Seriously, this kind of filtering needs to be done by ISPs on outbound traffic, not inbound. Your machine sends spam/viruses it gets quarantined
restricting your net access to web access to antivirus sites and operating system vendors (for patch downloads) with other accesses redirected to a page that indicates access is blocked.
Then after such filtering becomes more common (or at least it has been announced that filtering will begin at a particular date), sites could be blacklisted for failure to filter (if abused) to encourage ISPs to be responsible
wit large ISPs (with better economies of scale)
being more vulnerable to blacklisting than small ISPs. Maybe you compare the number of bad messages to the square root of the total number of messages from a given netblock.
The idea is to push the problem back towards people who have some influence over correcting it (the offending ISP and their customers); it isn't perfect - passively innocent people get caught in the crossfire while people who are pro-actively innocent are protected.
Bah! Comcast has this down already. They just block ports 135-139 and 445 at the cable modem, so you're safe from most of the windows worms out there..
My email addy? should be easy enough.
Hey, mods... how about his first -1, Offtopic? :)
Actually, if big providers were blocked, it would encourage them distribute rather than aggregate the way they do. This would allow a big more selectivity on where to block and perhaps allow them to focus on the trouble areas.
I prefer the "u" in honour as it seems to be missing these days.
(unfortunately in dutch)
Eikel.