Slashdot Mirror


Distributive Worm Blocking

wdebruij writes "According to this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."

2 of 162 comments (clear)

  1. a new denial of service attack by pedantic+bore · · Score: 4, Interesting
    Now all you need to do is trick someone into sending you something that resembles a worm... (all it will take for some trickster to add a rule the worm signature files that says that all messages that contain
    ^Dear
    ).

    It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).

    Unfortunately I don't read Dutch; maybe they've thought of this already.

    --
    Am I part of the core demographic for Swedish Fish?
  2. Re:Zegnar by mattyrobinson69 · · Score: 4, Interesting

    when freeserve depreciated one of their dial-up numbers, all attempts to access port 80 were forwarded to their http server on a page which explained how to change the number, and what to. - they blocked all other connections i think.

    pain in the arse, but it could be useful if the same kind of thing was implemented if you were showing characteristics of running a worm, to redirect you to their free online virus scanner (or somebody elses). that way, you cant infect anybody else, but you can still use the online vius scanner to remove virus's (using an OCX).

    this will carry on working, while nearly all worms are for windows. i imagine most people with other os's wouldn't get hit, not because of higher security neccessarily, but because they wouldn't spread well in a world where 90%+ boxes are windows, and even then, the less than 10% of boxes isn't one OS - there's mac, linux, free/open/net bsd, solaris, etc.