Slashdot Mirror
Distributive Worm Blocking
wdebruij writes "According to
this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."
I've got it the ultimate virus aquisition prevention system...
Whenever news of a worm is reported on Slashdot, the computer is locked down with the network connection halted, the disk drives unpowered, all processing stopped, and the video output suspsended. A nice side effect is that power consumption of the system is near zero when in this mode.
It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).
Unfortunately I don't read Dutch; maybe they've thought of this already.
Am I part of the core demographic for Swedish Fish?
the individual was fired for connecting an infected foreign laptop to the network.
If you IP spoof and send a virus to one of the servers using this technology, you could pretty much get every IP in the world blocked. That is a very Bad Thing (TM)
got sig?
I agree. Imagine the feeling of not being able to fix your infected computer via online-update because your freakin ISP wont let you. One could possibly start a successful company fixing PCs doing house-calls anywhere this policy is enforced forever. Its like western medecine, treat the symptom, not the cause.
You are about to give someone a piece of your mind, something which you can ill afford...
I don't find it all that harsh really, if people are expected to work with a computer every day then people should be expected to be able to do so virus free. If the person is so freaking stupid to get infected in the first place then termination is likely a good way to show the rest of the staff that knowing how to properly use a computer will keep them their jobs.
.. 3 years on her own Win98 box and zero infections with no anti-virus suite running on the machine at all.
Staying virus free isn't tough, even without a virus scanner on the system it is easy, but first you must have some common sense when it comes to using the system. (proper patching, no preview pane in OE, don't click unknown attachments, etc.)
Oh, and my wife is proof positive it isn't tough to NOT get infected
Oh, and my wife is proof positive it isn't tough to NOT get infected .. 3 years on her own Win98 box and zero infections with no anti-virus suite running on the machine at all.
Then how do you know there are no viruses on the machine? Malware doesn't have to be obvious when it's running.
I have been doing a high school science research class project on stopping the spreading of internet-borne worms though analysis of epidemic models and such. I have come across many different methods for stopping the distribution of vulnerability-based worms, so I'll share here (in order from most innovative to most obvious): First, a very ingenious method coming from Dartmouth's Institute for Security Technology Studies. They propose a method called monitoring the internet for plumes of ICMP unreachable messages. Software is installed on routers which records the ICMP unreachable messages being sent and sends data every once in a while to a central server which analyzes the data and sees which things are probably random-scanning worms. This is probably the best idea I've seen yet, but most likely the hardest to implement (as router software is usually tried to keep air-tight). The bad ports and such would then be filtered or turned off as appropriate. A second method which may have been talked about on here or not is "good" worms. Worms which sit around and listen for worm data would then send a copy of itself from the computer which was scanning them, therefore fixing another hole and having that computer be another "good" computer. The bad thing with this is that it will only really work when the worm is at its peak, when damage has already been done. It would be useful for cleanup, but of course there are issues with privacy and control would be rampant. Another "solution" is getting users to install firewalls and anti-virus software but thats a more obvious and hard to implement solution. I am modeling all of these possibilities using a mathematical model for epidemics, and seeing where which one would theoretically be most useful and such, and I'll take a look at the method used in the article.
when freeserve depreciated one of their dial-up numbers, all attempts to access port 80 were forwarded to their http server on a page which explained how to change the number, and what to. - they blocked all other connections i think.
pain in the arse, but it could be useful if the same kind of thing was implemented if you were showing characteristics of running a worm, to redirect you to their free online virus scanner (or somebody elses). that way, you cant infect anybody else, but you can still use the online vius scanner to remove virus's (using an OCX).
this will carry on working, while nearly all worms are for windows. i imagine most people with other os's wouldn't get hit, not because of higher security neccessarily, but because they wouldn't spread well in a world where 90%+ boxes are windows, and even then, the less than 10% of boxes isn't one OS - there's mac, linux, free/open/net bsd, solaris, etc.
Perhaps a partial block could be instituted - allow only outbound http to Windows Update.
You might also have a look at Spam Cannibal.
It's in the same sort of area - and interesting proactive approach to spam, and potentially worms as well.
"And the meaning of words; when they cease to function; when will it start worrying you?"
I got this mail under linux which I was unsure it was legitimate or a virus. Not having ntfs support compiled in I mailed it to myself and rebooted to windows to scan it.
Retrieving my mail I just got one: My ISP telling me I'm most likely infected and I noticed they blocked my access to their mailserver for about a day (I still was able to use http and such).
I was quite impressed...
ps: The ISP is Telenet (Belgium)
Okay, so yea, parent is a troll, but he's completely correct. Shutdowns of this sort will cut out the big providers in a matter of minutes after the outbreak of a decent-sized worm. It takes no imagination to picture the response of the consumer who finds out that he can't get mail, or access a website. He's not going to care that it "improves his security/quality of service." All he's going to see is that his provider sucks, because it's not doing what he wants it to.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I just started doing something like this too. I 'tail -f' the maillog
and have a simple perl script add any spammer / viral site into a pf
(packet filter) table to block at the packet level. The maillog
entries I look for are any rejections that look fishy (eg. mail to
non-existent accounts, mail with MS attachments, mail from hosts with
hostnames that contain ".dsl."/".cable.".
In 7 days of operation I have accumulated ~20,000 machines that needed
blocking and my spam-attempts have dropped from 7,000 per day to 1,400
per month. In a few more days hopefully the figures will be even
lower. These spammers were certainly chewing up a large amount of my
bandwidth. (And this is only a two-person home system!)
I am a dial-up user. Sometimes when I try to send email, I get a message from the SMTP server saying that my IP address is blocked from sending email because it's on a spam blacklist. Of course I'm not a spammer. All I have to do is to reconnect and I usually get a non blocked IP address and I can send email normally. I think you can avoid this thecnique the same way. Imagine the following scenario:
1. A worm-infected b0x calls a dial-up server.
2. Its IP address gets blocked.
3. The same b0x reconnects and gets a non blocked address and gets blocked again
4. GOTO 2.
5. Another user with a non-infected b0x calls the dial up server and his IP address is blocked by the previous worm-infected b0x with that address.
Maybe the whole dial-up IP pool could get blocked.
-- When did Ignorance Become a Point of View?