Microsoft Eyes PC Isolation Ward To Thwart Botnets

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

Re:You asked...

[pgmrdlm]

I wrote a perl script that parse's my auth.log. I have a variable I use for a threashold on number of invalid login attempts. You cross that number, you are added to a firewall table and the table is refreshed. You use known service id's in your login attempt, doesn't matter how many tries you have made. You are added to the firewall table and it is refreshed. Sends out an email to me twice a day.

I store invalid attempts in a internal table which is retained for 24 hours. I have found when the attack is spread out over a large number of ip's, that they still rotate through those ip's for further attempts. And again this drive them over the threshold limit.

Is this a perfect solution? Nope, I still have to manually monitor my auth.log. But not as diligently as I use to.