Full Disclosure mailing list archives
Re: Compromised hosts lists
From: Valdis.Kletnieks () vt edu
Date: Tue, 21 Feb 2006 13:43:37 -0500
On Tue, 21 Feb 2006 07:09:58 MST, James Lay said:
I completely agree for ports that I would have closed, but obviously I could not simply deny *all* traffic for port 25 and 80 let's say, as I want them open to the public.
At which point a list of the 100 million or so compromised machines believed to be out there doesn't do you much good. (Yes, the number is likely to be that high - at one point we were seeing several hundred thousand new zombies *per day*.) If you implement the block list, your machine runs like a pig (how much kernel memory do 100M iptables rules nail down?? ;) And you *still* have to worry about evil packets arriving on ports 25 and/or 80 from machines that haven't been *flagged* as evil yet. (Note that with 100M rules, trying to do even daily syncs is non-trivial - and you're going to want to do this on an hourly basis or so if you want it to be at all useful. When the update takes over an hour, you're in trouble.....) Your only real choice here is to make sure that 25 and 80 (and other outward-facing services) are as bulletproof as possible, against all packets from whatever source, and remain vigilant.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Compromised hosts lists James Lay (Feb 20)
- Re: Compromised hosts lists Jason Coombs (Feb 20)
- Re: Compromised hosts lists Gadi Evron (Feb 20)
- Re: Compromised hosts lists Valdis . Kletnieks (Feb 20)
- Re: Compromised hosts lists James Lay (Feb 21)
- Re: Compromised hosts lists Valdis . Kletnieks (Feb 21)
- Re: Compromised hosts lists Frank Knobbe (Feb 21)
- Re: Compromised hosts lists Valdis . Kletnieks (Feb 21)
- Re: Compromised hosts lists James Lay (Feb 21)
- <Possible follow-ups>
- Re: Compromised hosts lists security czar (Feb 22)