Distributive Worm Blocking

wdebruij writes "According to this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."

Re:That's not security, that's stupidity.

[[Lizard]]

Ehm, not really, the system also uses a whitelist on which the mailservers of normal ISPs are listed.
Furthermore a bot-created smtp will trigger the protection quick enough so it won't be able to send much. Personally I doubt it will backfire, but maybe there's some place for improvements, time will tell.

(When I have some free time I'll try to translate the article in readable english :)

We use a similar concept @ work

[jsav40]

Infected machines are locked out of the network entirely. Getting the machines reconnected is a fairly lengthy process and users have become *much* more interested in allowing field techs to patch machines since the lockdown process was initiated. We push patches out remotely so only 5% or so of the machines ever need to be manually patched. We also scan our subnet daily for vulnerable machines and proactively patch any machines that turn up that way. Personal laptops were a problem (briefly) but after an incident at another location where the offfending user was terminated folks have gotten the message that it is not OK to attach non company owned computers to the network.