Re: Compromised hosts lists

[Valdis.Kletnieks () vt edu]

On Tue, 21 Feb 2006 07:09:58 MST, James Lay said:

> I completely agree for ports that I would have closed, but obviously I
> could not simply deny *all* traffic for port 25 and 80 let's say, as I
> want them open to the public.

At which point a list of the 100 million or so compromised machines believed
to be out there doesn't do you much good.  (Yes, the number is likely to be
that high - at one point we were seeing several hundred thousand new zombies
*per day*.)

If you implement the block list, your machine runs like a pig (how much kernel
memory do 100M iptables rules nail down?? ;)

And you *still* have to worry about evil packets arriving on ports 25 and/or 80
from machines that haven't been *flagged* as evil yet. (Note that with 100M
rules, trying to do even daily syncs is non-trivial - and you're going to want
to do this on an hourly basis or so if you want it to be at all useful.  When
the update takes over an hour, you're in trouble.....)

Your only real choice here is to make sure that 25 and 80 (and other outward-facing
services) are as bulletproof as possible, against all packets from whatever source,
and remain vigilant.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/