Re: a real way to stop an http based worm

From: abel (able@able-towers.com)
Date: Fri Sep 07 2001 - 18:14:49 PDT

Next message: The Crocodile: "Re: a real way to stop an http based worm"

Previous message: Robert A. Seace: "Re: coding (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
In reply to: Jose Nazario: "Re: a real way to stop an http based worm"
Next in thread: The Crocodile: "Re: a real way to stop an http based worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The only snag in this is that you are (once again?) at the mercy of ISP's
Since they have shown in the past that going through those paces is not a
real probabillity, almost certainly not for the largest contingent,  I
suggest respectfully that routers are the first step to start of with,
unless we can come up with a IDS like device
that sets a simple rule in those proxies and I mean a "run once and be done"
to prevent the ISP saying it is to much work, to expensive, against peering
agreements and so on.
Those peering agreements, most do NOT allow blocking of any traffic, are a
hurdle we have to face in these steps. which was also the reason I suggested
routers
It should not be the hardest to come up with a solution that upon
recognition of the signature adds a filter line in router software, but the
hardest part then would be that if a large number of probes from different
IP's arrives the router might go gung-ho when rehashed to often, still I
have the distinct feeling that such would not only be a good solution
against any current worm, but also a fast and sure defense against new ones.
(it should be possible to write it in a way it can (like f.i. snort) just
have a "rule" added.

sorry, just thinking aloud, but this is a more constructive discussion then
the "counterstrike" idea (IMO)

regards

abel wisman

----- Original Message -----
From: "Jose Nazario" <joseat_private>
To: "Gert-Jan Hagenaars" <blenderat_private>
Cc: <vuln-devat_private>
Sent: Friday, September 07, 2001 2:47 PM
Subject: Re: a real way to stop an http based worm

> On Fri, 7 Sep 2001, Gert-Jan Hagenaars wrote:
>
> > Can this be done on the web-proxy boxes that the ISPs have on their
> > networks?  I.e. dunk anything that looks for "/default.ida?blah"?
>
> yep. reverse proxies can be configured to do this. and cisco ACLs can
> already reset/block such connections i believe.
>
> in short a good idea, and one that can already be implemented.
>
> ____________________________
> jose nazario      joseat_private
>            PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
>        PGP key ID 0xFD37F4E5 (pgp.mit.edu)
>

Next message: The Crocodile: "Re: a real way to stop an http based worm"
Previous message: Robert A. Seace: "Re: coding (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)"
In reply to: Jose Nazario: "Re: a real way to stop an http based worm"
Next in thread: The Crocodile: "Re: a real way to stop an http based worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 17:29:58 PDT