Slashdot Mirror
Distributive Worm Blocking
wdebruij writes "According to
this source (unfortunately in dutch), a number of dutch ISPs are bundling their forces to fight the spread of worms. The technology, called virbl, blocks all accesses from IP addresses from which at least 2 worms were sent for 24 hours, naturally excluding known large email servers. Background info on the project can be found at the developers' project site. So, does anyone have useful remarks on why this may succeed or fail? It appears to me as a simple to implement yet powerful, albeit stopgap, solution."
Here is progress - still I imagine many companies will leave things as they are just to avoid having to deal with irate calls to the helpdesk, and carry on broadcasting viruses to the world. Collective defense is fine until it costs money.
Or, you could just post a link on slashdot to all infected systems. Same end effect.
My Systems
The same people who complain when their ISP is blocked for sending spam will (no doubt) complain that this blocks their constitutional right to run an infested box on the Internet--complete with examples of how innocent people will be hurt by this. (Hmm, how about DHCP dynamic addresses?)
One line blog. I hear that they're called Twitters now.
how do users then download the patches to deal with the infection? Not everyone on the internet is computer literate; will the ISPs provide some help to these people?
Ehm, not really, the system also uses a whitelist on which the mailservers of normal ISPs are listed.
:)
Furthermore a bot-created smtp will trigger the protection quick enough so it won't be able to send much. Personally I doubt it will backfire, but maybe there's some place for improvements, time will tell.
(When I have some free time I'll try to translate the article in readable english
If you can IP spoof with a TCP/IP connection, you could do a lot more damage than a DoS attack.
One line blog. I hear that they're called Twitters now.
It does say that they "exlude known large email servers" so presumably it would be hard to take out an ISP. But it sounds like you could DHCP-hop your way through a an address bank and make things pretty miserable for someone.
Am I part of the core demographic for Swedish Fish?
Infected machines are locked out of the network entirely. Getting the machines reconnected is a fairly lengthy process and users have become *much* more interested in allowing field techs to patch machines since the lockdown process was initiated. We push patches out remotely so only 5% or so of the machines ever need to be manually patched. We also scan our subnet daily for vulnerable machines and proactively patch any machines that turn up that way. Personal laptops were a problem (briefly) but after an incident at another location where the offfending user was terminated folks have gotten the message that it is not OK to attach non company owned computers to the network.
Didn't Spamhaus recently launch the pretty much the same service called the XBL?
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits." -- http://www.spamhaus.org/xbl/index.lasso
The only thing I thought was weird about the Dutch system was: "An IP address gets listed after receiving at least 2 viruses".. I think that may be a typo as the system scans some email and grabs the ip from the headers if a virus/worm/trojan is found. But if it's not a typo, any email address that receives 2 viruses it gets listed (regardless of infection) is a pretty sucky system.