Slashdot Mirror

← Back to Stories (view on slashdot.org)

Distributive Worm Blocking

Posted by CmdrTaco on from the anyone-speak-the-dutch dept.

wdebruij writes "According to this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."

13 of 162 comments (clear)

  1. Re:Not gonna work! by RidiculousPie · · Score: 3, Informative

    Did you even think about reading the article?

    The program provides a list of ip addresses to block email from. It doesn't only target dutch isp customers email, it allows email from known virus offenders to be blocked.

    Also in the faq for the program, a dutch ISP can apply to be whitelisted.

    So how does this constitute locking down their customers?

    In addition, do ISPs want virus spreading customers?

    --
    ah, mod points ... now where is my crack?
  2. Re:That's not security, that's stupidity. by [Lizard] · · Score: 5, Informative

    Ehm, not really, the system also uses a whitelist on which the mailservers of normal ISPs are listed.
    Furthermore a bot-created smtp will trigger the protection quick enough so it won't be able to send much. Personally I doubt it will backfire, but maybe there's some place for improvements, time will tell.

    (When I have some free time I'll try to translate the article in readable english :)

  3. We use a similar concept @ work by jsav40 · · Score: 5, Informative

    Infected machines are locked out of the network entirely. Getting the machines reconnected is a fairly lengthy process and users have become *much* more interested in allowing field techs to patch machines since the lockdown process was initiated. We push patches out remotely so only 5% or so of the machines ever need to be manually patched. We also scan our subnet daily for vulnerable machines and proactively patch any machines that turn up that way. Personal laptops were a problem (briefly) but after an incident at another location where the offfending user was terminated folks have gotten the message that it is not OK to attach non company owned computers to the network.

    1. Re:We use a similar concept @ work by Tripster · · Score: 2, Informative

      It's quite easy to know it is uninfected, as others have pointed out there are suites that can be run online plus having a suite installed but not running is another option.

      But, I know what is running on the machine as well, I know it is stable and I know there isn't some background task eating up the resources, I reboot her machine for her maybe once a month and it sits running 24/7.

      Now to be clear, her computer sits on a NAT network so it is not publically accessable, but hey, when I sell someone a computer these days I sell them a cable/dsl router to go with it if they want to be on broadband, so this type of protection is step one and very easy/cheap to implement.

      Next her email is scanned for viruses, so it is a little tougher to get any viruses to her that way. She also has the preview pane off and keeps OE up to date with Windows update.

      But, back to the original post here, if I had those protections in place at my office (and I would) I would then be quite hard on any employee who ends up infected by something anyway. I refuse to run an always active AV scanner on my computers because they cause too many headaches and use up too much resources I'd much rather let the intended apps have.

      Contrary to popular belief you do no need full time AV suites running on all your PCs to keep virus free, it takes some common sense, keeping your system up to date, etc. I expect anyone who uses a computer as a main part of their employment to have the common sense required to not get infected with viruses.

      Sorry guys, but the users DO need to take some responsibility and it doesn't take a rocket scientist to teach them some either, my in-laws were infected once, only once :)

  4. Translation for non-Dutchies by mrjb · · Score: 4, Informative

    Chello en Tiscali top-spreaders of viruses
    A database with infected pc's is the foundation of an ambitions project that should reduce the flood of virus emails
    A number of Dutch providers is currently testing a worm blocker based on an extensive database of infected pc's. This file has been kept up-to-date since 2 weeks ago by BIT, a provider for businesses. In this database, amongst other things, is visible from which IP address which virus is being spread.

    Other providers can use this database to inform their own customers that their computer is infected and bothering other people, explains Alex Bik of BIT. Self-propagating viruses (worms) are causing more and more trouble, both to private users and providers.

    BIT itself has been using the automatic blacklist-system since last week, to protect their customers against the ever growing stream of virus mails. By now, a large number of Dutch [internet] providers, including XS4ALL, Zonnet and IS Internet Services, also have access to the data.

    Port 25

    In its database, BIT keeps track from which IP addresses virus mails are sent. This sending [of emails] often takes place directly via port 25 from infected computers. As soon as more than 2 infected emails arrive at BIT within 25 hours, the IP address is blacklisted for 24 hours. However, the ip-addresses of mail servers of known providers are not added to the database.

    Chello tops the list

    The list shows that other providers, too, can benefit from the blacklist. Customers of Chello, Tiscali and @home top the list of major virus spreaders (over 1000 virus emails). The topper is an ip-address at Tiscali, from which as much as 12000 sober G-mails have been sent.

    In total, Chello leads with over 27000 sent virus mails with the 25 main 'spreaders', followed by Tiscali (almost 23000), @home (almost 20000), Wanadoo (over 14000), HCCnet (almost 13000) and Planet [internet] (almost 12000).

    --
    Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
  5. Quick Translation of the article by Anonymous Coward · · Score: 1, Informative

    A number of Dutch ISPs are currently testing a worm-blocker based on
    a extensive database with infected pc's. This database is currently
    being managed by BIT ISP. This databases contains ip-numbers of the
    pc's that are infected and spreading viruses.

    Other providers can use the database for their own customers to warn
    them that their pc is infected. BIT uses the database for automatic
    blacklisting and firewalling to protect their customers. It records from
    which pc's viruses are send (which usually occur by e-mail spreading).

    When at least 2 mails have been tagged as a virus the ip is blacklisted
    for 24 hours. The call this service: VIRBL.

  6. Re:IP Spoofing by slash-tard · · Score: 2, Informative

    That wont work. When a DOS (or whatever) spoofs an address they send to the destination with a forged source. When the destination replies to the forged source they dont get an answer, but they do waste bandwidth and computing time.

    The blocking is based on actually sending emails through this server which will require a complete TCP handshake.

  7. Re:Spamhaus by vladj · · Score: 2, Informative

    Obviously, that's after receiving at least 2 viruses from that IP address.

  8. Re:IP Spoofing by AndroidCat · · Score: 2, Informative

    MSBlaster was a direct worm that didn't go through email. This blocks email over a SMTP TCP/IP connection. If you could easily spoof the source of that connection, a paper on how you did it would earn you a footnote in Internet history.

    --
    One line blog. I hear that they're called Twitters now.
  9. Re:IP Spoofing by AndroidCat · · Score: 2, Informative
    I'll add a bit more detail to explain.

    With DoS attacks, you don't need to have a conversation/connection with the other end, you just drown the other end in packets. But to get a TCP connection, both sides have to exchange packets with a hard-to-spoof sequence number. If you spoof the IP address, you won't get the respose to your initial request because it was routed to the IP address that was spoofed. (I'll skip request and reflection attacks here.)

    So, without establishing a two-way TCP connection, there's no way to pass the virus as part of an email.

    --
    One line blog. I hear that they're called Twitters now.
  10. Worm blocking by IP address by jefp · · Score: 2, Informative

    I've been doing this for a few weeks now and it works great. I run clamav to initially recognize the worms. I keep the blockage for a week, though, not 24 hours, and I block for just one worm, not two. This may explain why my numbers come out better than these virbl folks - before IP blacklisting, worms were using up almost half my 1.5 Mbps incoming bandwidth; now it's down to around 15%.

  11. We're doing something similar by bigberk · · Score: 3, Informative
    So, does anyone have useful remarks on why this may succeed or fail?
    The WPBL is a very similar effort, using distributed spam sightings to block IPs. We focus on spam, while virbl specializes in viruses. I think they'll have good success provided their method of virus detection is very accurate. In our case, statistical bayesian-like filters help us get accurate spam sightings.
  12. Re:I don't think this thecnique is effective. by ongeboren · · Score: 2, Informative

    You didn't get it!

    You have to block the user's access!

    Every computer is provided with an account to connect.. and yes, there is a thing called MAC address.

    --
    First I wanted to be a chef. Then I wanted to be Napoleon. My ambitions have continued to grow ever since.