Slashdot Mirror

← Back to Stories (view on slashdot.org)

Distributive Worm Blocking

Posted by CmdrTaco on from the anyone-speak-the-dutch dept.

wdebruij writes "According to this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."

19 of 162 comments (clear)

  1. Zegnar by Zegnar · · Score: 5, Insightful

    Here is progress - still I imagine many companies will leave things as they are just to avoid having to deal with irate calls to the helpdesk, and carry on broadcasting viruses to the world. Collective defense is fine until it costs money.

    1. Re:Zegnar by unixbugs · · Score: 2, Insightful

      Word...

      I still think its a step in the right direction though. It will keep users on their toes a little more, rather than hand feeding them the ease of operation that rots the brain. It puts responsibility where it should be, on the users, to keep their own(3d) machine from killing everyone elses.

      "Armies of worm-ridden broadband-connected windows boxes", as one of the funniest posts I've ever read put it, are out there and are part of a problem so large the underlying cause is hard to see even though its right under our noses: laziness.

      But if you want to get down to it, aside from CERT, there should be some kind of big ass computer out there that catches a worm propagating and automatically starts trying to find the source. Would be a nice project to contribute my time and free code to.

      --
      You are about to give someone a piece of your mind, something which you can ill afford...
  2. Dutch DOS by Anonymous Coward · · Score: 1, Insightful

    I making this up completely, but will this lead to denial of service attacks using ip spoofing techniques?

    1. Re:Dutch DOS by AndroidCat · · Score: 5, Insightful

      If you can IP spoof with a TCP/IP connection, you could do a lot more damage than a DoS attack.

      --
      One line blog. I hear that they're called Twitters now.
  3. Re:a new denial of service attack by LostCluster · · Score: 1, Insightful

    How's this for a DOS...

    Attacker signs up for an account with Foo ISP, and then intentionally sends five virus-attachment e-mails to Bar.com. Foo's e-mail servers are suddenly blocked from communicating with Bar.com... and any legit business can't be transacted by e-mail.

  4. Frea Speach! by AndroidCat · · Score: 5, Insightful

    The same people who complain when their ISP is blocked for sending spam will (no doubt) complain that this blocks their constitutional right to run an infested box on the Internet--complete with examples of how innocent people will be hurt by this. (Hmm, how about DHCP dynamic addresses?)

    --
    One line blog. I hear that they're called Twitters now.
    1. Re:Frea Speach! by AndroidCat · · Score: 2, Insightful

      I doubt such a right exists anywhere, but some spammers seem to feel they have such a right and that no one has the right to block them. No doubt they also feel that everyone must keep their mail servers on 24/7 to receive their turds.

      --
      One line blog. I hear that they're called Twitters now.
  5. This is a sensible thing to do but.... by Sox2 · · Score: 5, Insightful

    how do users then download the patches to deal with the infection? Not everyone on the internet is computer literate; will the ISPs provide some help to these people?

    1. Re:This is a sensible thing to do but.... by AndroidCat · · Score: 3, Insightful

      This project only blocks incoming email from infected IP addresses. It doesn't block outgoing web access, so MS Update should still run. This is limited because it won't stop true worms that don't use email to spread, but it will reduce the load on email virus scanners: Rather than checking each email, they can do a quick lookup on the IP address after it's detected as a virus source.

      --
      One line blog. I hear that they're called Twitters now.
  6. Re:a new denial of service attack by pedantic+bore · · Score: 5, Insightful

    It does say that they "exlude known large email servers" so presumably it would be hard to take out an ISP. But it sounds like you could DHCP-hop your way through a an address bank and make things pretty miserable for someone.

    --
    Am I part of the core demographic for Swedish Fish?
  7. Reduces the value of spam spewing owned boxen by G4from128k · · Score: 3, Insightful

    Technology such as this reduces the value of virus-created owned boxes. The creators of viruses that want to create spam-spewing machines would find their spam spewer useless. During the infection phase, the virus-spreading emails would get the infected box tagged and blocked. During the usage phase, the virus-creator/spam sender would find that the owned box is useless because all the messages get blocked.

    This tech does not preclude malaciously-motivated viruses, but it does reduce the profit potential of creating spam networks.

    --
    Two wrongs don't make a right, but three lefts do.
  8. Re:We use a similar concept @ work by BigHungryJoe · · Score: 2, Insightful

    Are you serious? The guy was fired just for letting a foreign laptop connect to your network? Seems a bit extreme.

  9. Spamhaus by AndyFewt · · Score: 5, Insightful

    Didn't Spamhaus recently launch the pretty much the same service called the XBL?

    "The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso

    The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.

  10. Tech support by Fullmetal+Edward · · Score: 3, Insightful

    "I can't send a file to my friend or even get to some website, whats wrong with my PC?"

    "You been virusing people, sending spam and being a git."

    "No I haven't..."

    I don't want to be that tech support guy because this is will happen and often.

    --
    --- [Insert intresting Sig here]
  11. Re:a new denial of service attack by halaloszto · · Score: 2, Insightful
    "exlude known large email servers"
    And what about small, relatively unknows isps? They will suffer for sure.

    If this could be done, then all you would have to do against spam AND worms would be to use that great whitelist, and accept mail only from those "exlude known large email servers". v

  12. Re:a new denial of service attack by AndroidCat · · Score: 3, Insightful

    No, just the people trying to send mail directly from DHCP addresses, which are frequently blocked anyway. Hopefully this would put more pressure on ISPs to find and disconnect their infected customer before they poison more addresses for a day or two.

    --
    One line blog. I hear that they're called Twitters now.
  13. Re:We use a similar concept @ work by kryptkpr · · Score: 4, Insightful

    zero infections with no anti-virus suite running on the machine at all.

    And how exactly do you know there have been zero infections.. without a virus scanner? Or is the machine not connected to the 'net?

    --
    DJ kRYPT's Free MP3s!
  14. dynamic IP addresses by curator_thew · · Score: 3, Insightful


    Sorry to hear if you're on a dynamic IP address: be prepared for intermittent connectivity to peers in said networks running this technology.

    I don't think this is a good solution, anyway. The better solution is for ISP's to use SNORT or something else to real-time detect _outgoing_ viruses and worms from their own customers, and in response, send email to the customer warning them.

    This has a number of benefits: i.e. it actively works towards the source of the problem, not just "blocking" the problem out.

  15. Problems? by gmuslera · · Score: 3, Insightful
    • There are worms that don't have their own smtp engine. Ok, big mail servers are whitelisted, but what about small/medium mail servers? blocking entire mail servers because a single user of it is infected?
    • Modems/Dynamic IPs: an infected user uses an IP, gets blocked, and disconnects/gets another IP. The probably clean user that gets now the old IP gets also blocked. With enough ip rotation and certain percent of infected users you could end blocking entire ISPs (ok, the banning is only for 24 hours, but my ip rotation is every 12 hours, so i will surely hate if i can't do something if some clueless idiot got infected and blocked)
    • IP grouping: At least here internet cafes normally have one public IP for all computers, and that happens too even with companies with their entire traffic masqueraded thru one IP. If one gets infected (and eventually cleaned) the entire place is blocked