Bugtraq mailing list archives
Re: getting rid of outbreaks and spam (junk)
From: James Riden <j.riden () massey ac nz>
Date: Thu, 05 Feb 2004 09:07:24 +1300
Gadi Evron <ge () linuxbox org> writes:
The AV industry is built on reaction rather than prevention. Adding new signatures is still the #1 tool in the fight against malware.
That's why AV must never be used as the first/only line of defence against malware. The couple of hour window between outbreak and updated signatures could be enought to do significant damage; think of Blaster written by a skilled and malicious individual. As you say, AV falls into the 'detection/response' categories instead of 'prevention'.
If backbones filtered the top-10 current outbreaks, with non-intrusive means such as for example running MD5 checksum checks against attachments, or whatever other way - wouldn't it be better? True, it may cause a cry of "the government spies on us, but with the current economic troubles outbreaks cause, can we really use that excuse anymore? Doesn't the police regulate speeding?
Not my area, but I believe most backbone networks are designed to get packets from A to B as fast as possible. Egress filtering at ISPs, for both spoofed addresses and email-borne viruses would be a start though.
Although completely not practical, a way to contact users (or ISP's, isn't that how it works?) by IP address would help a lot. But that would be circumventing the real problem which is ISP's not doing much about ABUSE REPORTS or USER SECURITY.
It would also be good to have ISPs accountable for abuse that originates in their networks. But does any government department have the resources to do this, even if appropriate laws are in place? Several sites providing DNSBLs, and/or providing statistics of proxy abusers have been taken off the 'net by massive DDoS attacks. The FBI clearly has authority under the law to go after this kind of thing, but has done absolutely nothing about it as far as I've heard. cheers, Jamie (and, yes, everyone should turn off the !@#$ virus notifications already :) -- James Riden / j.riden () massey ac nz / Systems Security Engineer GPG public key available at: http://www.massey.ac.nz/~jriden/ This post does not necessarily represent the views of my employer.
Current thread:
- Re: RFC: virus handling 3APA3A (Feb 02)
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Gadi Evron (Feb 03)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] James A. Thornton (Feb 04)
- Re: getting rid of outbreaks and spam (junk) James Riden (Feb 04)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] der Mouse (Feb 05)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Georg Schwarz (Feb 06)
- <Possible follow-ups>
- Re: RFC: virus handling Sascha Wilde (Feb 02)
- Re: RFC: virus handling Pavel Levshin (Feb 02)
- Re: RFC: virus handling David F. Skoll (Feb 03)
- Re: RFC: virus handling Jeremy Mates (Feb 02)
- Hysterical first technical alert from US-CERT Larry Seltzer (Feb 03)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- RE: Hysterical first technical alert from US-CERT Larry Seltzer (Feb 05)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- Hysterical first technical alert from US-CERT Larry Seltzer (Feb 03)
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Gadi Evron (Feb 03)