Slashdot Mirror
Distributive Worm Blocking
wdebruij writes "According to
this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."
Here is progress - still I imagine many companies will leave things as they are just to avoid having to deal with irate calls to the helpdesk, and carry on broadcasting viruses to the world. Collective defense is fine until it costs money.
It seems like a good idea, but it seems like the threshold is too low and there ought to be a human in the loop (i.e., if the system suddenly decides to block half the IP numbers in the universe, a human should have to OK it).
Unfortunately I don't read Dutch; maybe they've thought of this already.
Am I part of the core demographic for Swedish Fish?
Or, you could just post a link on slashdot to all infected systems. Same end effect.
My Systems
Did you even think about reading the article?
The program provides a list of ip addresses to block email from. It doesn't only target dutch isp customers email, it allows email from known virus offenders to be blocked.
Also in the faq for the program, a dutch ISP can apply to be whitelisted.
So how does this constitute locking down their customers?
In addition, do ISPs want virus spreading customers?
ah, mod points
The same people who complain when their ISP is blocked for sending spam will (no doubt) complain that this blocks their constitutional right to run an infested box on the Internet--complete with examples of how innocent people will be hurt by this. (Hmm, how about DHCP dynamic addresses?)
One line blog. I hear that they're called Twitters now.
how do users then download the patches to deal with the infection? Not everyone on the internet is computer literate; will the ISPs provide some help to these people?
Ehm, not really, the system also uses a whitelist on which the mailservers of normal ISPs are listed.
:)
Furthermore a bot-created smtp will trigger the protection quick enough so it won't be able to send much. Personally I doubt it will backfire, but maybe there's some place for improvements, time will tell.
(When I have some free time I'll try to translate the article in readable english
If you can IP spoof with a TCP/IP connection, you could do a lot more damage than a DoS attack.
One line blog. I hear that they're called Twitters now.
We already have a system based on killing your internet access whenever you do something stupid. We call it "Chello" and being subscribed to it is considered very stupid/ A viscious, though effective, circle.
I don't hate my ISP. Not at all. I love my cable internet with upload speeds that would make an ISDN user laugh...
Infected machines are locked out of the network entirely. Getting the machines reconnected is a fairly lengthy process and users have become *much* more interested in allowing field techs to patch machines since the lockdown process was initiated. We push patches out remotely so only 5% or so of the machines ever need to be manually patched. We also scan our subnet daily for vulnerable machines and proactively patch any machines that turn up that way. Personal laptops were a problem (briefly) but after an incident at another location where the offfending user was terminated folks have gotten the message that it is not OK to attach non company owned computers to the network.
Technology such as this reduces the value of virus-created owned boxes. The creators of viruses that want to create spam-spewing machines would find their spam spewer useless. During the infection phase, the virus-spreading emails would get the infected box tagged and blocked. During the usage phase, the virus-creator/spam sender would find that the owned box is useless because all the messages get blocked.
This tech does not preclude malaciously-motivated viruses, but it does reduce the profit potential of creating spam networks.
Two wrongs don't make a right, but three lefts do.
Didn't Spamhaus recently launch the pretty much the same service called the XBL?
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso
The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.
Chello en Tiscali top-spreaders of viruses
A database with infected pc's is the foundation of an ambitions project that should reduce the flood of virus emails
A number of Dutch providers is currently testing a worm blocker based on an extensive database of infected pc's. This file has been kept up-to-date since 2 weeks ago by BIT, a provider for businesses. In this database, amongst other things, is visible from which IP address which virus is being spread.
Other providers can use this database to inform their own customers that their computer is infected and bothering other people, explains Alex Bik of BIT. Self-propagating viruses (worms) are causing more and more trouble, both to private users and providers.
BIT itself has been using the automatic blacklist-system since last week, to protect their customers against the ever growing stream of virus mails. By now, a large number of Dutch [internet] providers, including XS4ALL, Zonnet and IS Internet Services, also have access to the data.
Port 25
In its database, BIT keeps track from which IP addresses virus mails are sent. This sending [of emails] often takes place directly via port 25 from infected computers. As soon as more than 2 infected emails arrive at BIT within 25 hours, the IP address is blacklisted for 24 hours. However, the ip-addresses of mail servers of known providers are not added to the database.
Chello tops the list
The list shows that other providers, too, can benefit from the blacklist. Customers of Chello, Tiscali and @home top the list of major virus spreaders (over 1000 virus emails). The topper is an ip-address at Tiscali, from which as much as 12000 sober G-mails have been sent.
In total, Chello leads with over 27000 sent virus mails with the 25 main 'spreaders', followed by Tiscali (almost 23000), @home (almost 20000), Wanadoo (over 14000), HCCnet (almost 13000) and Planet [internet] (almost 12000).
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
That wont work. When a DOS (or whatever) spoofs an address they send to the destination with a forged source. When the destination replies to the forged source they dont get an answer, but they do waste bandwidth and computing time.
The blocking is based on actually sending emails through this server which will require a complete TCP handshake.
"I can't send a file to my friend or even get to some website, whats wrong with my PC?"
"You been virusing people, sending spam and being a git."
"No I haven't..."
I don't want to be that tech support guy because this is will happen and often.
--- [Insert intresting Sig here]
I have been doing a high school science research class project on stopping the spreading of internet-borne worms though analysis of epidemic models and such. I have come across many different methods for stopping the distribution of vulnerability-based worms, so I'll share here (in order from most innovative to most obvious): First, a very ingenious method coming from Dartmouth's Institute for Security Technology Studies. They propose a method called monitoring the internet for plumes of ICMP unreachable messages. Software is installed on routers which records the ICMP unreachable messages being sent and sends data every once in a while to a central server which analyzes the data and sees which things are probably random-scanning worms. This is probably the best idea I've seen yet, but most likely the hardest to implement (as router software is usually tried to keep air-tight). The bad ports and such would then be filtered or turned off as appropriate. A second method which may have been talked about on here or not is "good" worms. Worms which sit around and listen for worm data would then send a copy of itself from the computer which was scanning them, therefore fixing another hole and having that computer be another "good" computer. The bad thing with this is that it will only really work when the worm is at its peak, when damage has already been done. It would be useful for cleanup, but of course there are issues with privacy and control would be rampant. Another "solution" is getting users to install firewalls and anti-virus software but thats a more obvious and hard to implement solution. I am modeling all of these possibilities using a mathematical model for epidemics, and seeing where which one would theoretically be most useful and such, and I'll take a look at the method used in the article.
Sorry to hear if you're on a dynamic IP address: be prepared for intermittent connectivity to peers in said networks running this technology.
I don't think this is a good solution, anyway. The better solution is for ISP's to use SNORT or something else to real-time detect _outgoing_ viruses and worms from their own customers, and in response, send email to the customer warning them.
This has a number of benefits: i.e. it actively works towards the source of the problem, not just "blocking" the problem out.
MSBlaster was a direct worm that didn't go through email. This blocks email over a SMTP TCP/IP connection. If you could easily spoof the source of that connection, a paper on how you did it would earn you a footnote in Internet history.
One line blog. I hear that they're called Twitters now.
With DoS attacks, you don't need to have a conversation/connection with the other end, you just drown the other end in packets. But to get a TCP connection, both sides have to exchange packets with a hard-to-spoof sequence number. If you spoof the IP address, you won't get the respose to your initial request because it was routed to the IP address that was spoofed. (I'll skip request and reflection attacks here.)
So, without establishing a two-way TCP connection, there's no way to pass the virus as part of an email.
One line blog. I hear that they're called Twitters now.
I've been doing this for a few weeks now and it works great. I run clamav to initially recognize the worms. I keep the blockage for a week, though, not 24 hours, and I block for just one worm, not two. This may explain why my numbers come out better than these virbl folks - before IP blacklisting, worms were using up almost half my 1.5 Mbps incoming bandwidth; now it's down to around 15%.
You might also have a look at Spam Cannibal.
It's in the same sort of area - and interesting proactive approach to spam, and potentially worms as well.
"And the meaning of words; when they cease to function; when will it start worrying you?"
I got this mail under linux which I was unsure it was legitimate or a virus. Not having ntfs support compiled in I mailed it to myself and rebooted to windows to scan it.
Retrieving my mail I just got one: My ISP telling me I'm most likely infected and I noticed they blocked my access to their mailserver for about a day (I still was able to use http and such).
I was quite impressed...
ps: The ISP is Telenet (Belgium)
Okay, so yea, parent is a troll, but he's completely correct. Shutdowns of this sort will cut out the big providers in a matter of minutes after the outbreak of a decent-sized worm. It takes no imagination to picture the response of the consumer who finds out that he can't get mail, or access a website. He's not going to care that it "improves his security/quality of service." All he's going to see is that his provider sucks, because it's not doing what he wants it to.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I proposed this 3.5 years ago on Advogato.
:)
Just calling it up, 'cuz I never get credit for nothin'.
-Waldo Jaquith
I am a dial-up user. Sometimes when I try to send email, I get a message from the SMTP server saying that my IP address is blocked from sending email because it's on a spam blacklist. Of course I'm not a spammer. All I have to do is to reconnect and I usually get a non blocked IP address and I can send email normally. I think you can avoid this thecnique the same way. Imagine the following scenario:
1. A worm-infected b0x calls a dial-up server.
2. Its IP address gets blocked.
3. The same b0x reconnects and gets a non blocked address and gets blocked again
4. GOTO 2.
5. Another user with a non-infected b0x calls the dial up server and his IP address is blocked by the previous worm-infected b0x with that address.
Maybe the whole dial-up IP pool could get blocked.
-- When did Ignorance Become a Point of View?