OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: abel (ableable-towers.com)
Date: Fri Sep 07 2001 - 20:14:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The only snag in this is that you are (once again?) at the mercy of ISP's
    Since they have shown in the past that going through those paces is not a
    real probabillity, almost certainly not for the largest contingent, I
    suggest respectfully that routers are the first step to start of with,
    unless we can come up with a IDS like device
    that sets a simple rule in those proxies and I mean a "run once and be done"
    to prevent the ISP saying it is to much work, to expensive, against peering
    agreements and so on.
    Those peering agreements, most do NOT allow blocking of any traffic, are a
    hurdle we have to face in these steps. which was also the reason I suggested
    routers
    It should not be the hardest to come up with a solution that upon
    recognition of the signature adds a filter line in router software, but the
    hardest part then would be that if a large number of probes from different
    IP's arrives the router might go gung-ho when rehashed to often, still I
    have the distinct feeling that such would not only be a good solution
    against any current worm, but also a fast and sure defense against new ones.
    (it should be possible to write it in a way it can (like f.i. snort) just
    have a "rule" added.

    sorry, just thinking aloud, but this is a more constructive discussion then
    the "counterstrike" idea (IMO)

    regards

    abel wisman

    ----- Original Message -----
    From: "Jose Nazario" <josebiocserver.BIOC.cwru.edu>
    To: "Gert-Jan Hagenaars" <blenderhagenaars.com>
    Cc: <vuln-devsecurityfocus.com>
    Sent: Friday, September 07, 2001 2:47 PM
    Subject: Re: a real way to stop an http based worm

    > On Fri, 7 Sep 2001, Gert-Jan Hagenaars wrote:
    >
    > > Can this be done on the web-proxy boxes that the ISPs have on their
    > > networks? I.e. dunk anything that looks for "/default.ida?blah"?
    >
    > yep. reverse proxies can be configured to do this. and cisco ACLs can
    > already reset/block such connections i believe.
    >
    > in short a good idea, and one that can already be implemented.
    >
    > ____________________________
    > jose nazario josecwru.edu
    > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
    > PGP key ID 0xFD37F4E5 (pgp.mit.edu)
    >