Slashdot Mirror


Distributive Worm Blocking

wdebruij writes "According to this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."

4 of 162 comments (clear)

  1. a new denial of service attack by pedantic+bore · · Score: 4, Interesting
    Now all you need to do is trick someone into sending you something that resembles a worm... (all it will take for some trickster to add a rule the worm signature files that says that all messages that contain
    ^Dear
    ).

    It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).

    Unfortunately I don't read Dutch; maybe they've thought of this already.

    --
    Am I part of the core demographic for Swedish Fish?
  2. other alternatives to stopping worms by angryLNX · · Score: 3, Interesting

    I have been doing a high school science research class project on stopping the spreading of internet-borne worms though analysis of epidemic models and such. I have come across many different methods for stopping the distribution of vulnerability-based worms, so I'll share here (in order from most innovative to most obvious): First, a very ingenious method coming from Dartmouth's Institute for Security Technology Studies. They propose a method called monitoring the internet for plumes of ICMP unreachable messages. Software is installed on routers which records the ICMP unreachable messages being sent and sends data every once in a while to a central server which analyzes the data and sees which things are probably random-scanning worms. This is probably the best idea I've seen yet, but most likely the hardest to implement (as router software is usually tried to keep air-tight). The bad ports and such would then be filtered or turned off as appropriate. A second method which may have been talked about on here or not is "good" worms. Worms which sit around and listen for worm data would then send a copy of itself from the computer which was scanning them, therefore fixing another hole and having that computer be another "good" computer. The bad thing with this is that it will only really work when the worm is at its peak, when damage has already been done. It would be useful for cleanup, but of course there are issues with privacy and control would be rampant. Another "solution" is getting users to install firewalls and anti-virus software but thats a more obvious and hard to implement solution. I am modeling all of these possibilities using a mathematical model for epidemics, and seeing where which one would theoretically be most useful and such, and I'll take a look at the method used in the article.

  3. Re:Zegnar by mattyrobinson69 · · Score: 4, Interesting

    when freeserve depreciated one of their dial-up numbers, all attempts to access port 80 were forwarded to their http server on a page which explained how to change the number, and what to. - they blocked all other connections i think.

    pain in the arse, but it could be useful if the same kind of thing was implemented if you were showing characteristics of running a worm, to redirect you to their free online virus scanner (or somebody elses). that way, you cant infect anybody else, but you can still use the online vius scanner to remove virus's (using an OCX).

    this will carry on working, while nearly all worms are for windows. i imagine most people with other os's wouldn't get hit, not because of higher security neccessarily, but because they wouldn't spread well in a world where 90%+ boxes are windows, and even then, the less than 10% of boxes isn't one OS - there's mac, linux, free/open/net bsd, solaris, etc.

  4. Re:Zegnar by icedivr · · Score: 3, Interesting

    Perhaps a partial block could be instituted - allow only outbound http to Windows Update.