Vulnerability Development mailing list archives
Re: a real way to stop an http based worm
From: "abel" <able () able-towers com>
Date: Fri, 7 Sep 2001 18:14:49 -0700
The only snag in this is that you are (once again?) at the mercy of ISP's Since they have shown in the past that going through those paces is not a real probabillity, almost certainly not for the largest contingent, I suggest respectfully that routers are the first step to start of with, unless we can come up with a IDS like device that sets a simple rule in those proxies and I mean a "run once and be done" to prevent the ISP saying it is to much work, to expensive, against peering agreements and so on. Those peering agreements, most do NOT allow blocking of any traffic, are a hurdle we have to face in these steps. which was also the reason I suggested routers It should not be the hardest to come up with a solution that upon recognition of the signature adds a filter line in router software, but the hardest part then would be that if a large number of probes from different IP's arrives the router might go gung-ho when rehashed to often, still I have the distinct feeling that such would not only be a good solution against any current worm, but also a fast and sure defense against new ones. (it should be possible to write it in a way it can (like f.i. snort) just have a "rule" added. sorry, just thinking aloud, but this is a more constructive discussion then the "counterstrike" idea (IMO) regards abel wisman ----- Original Message ----- From: "Jose Nazario" <jose () biocserver BIOC cwru edu> To: "Gert-Jan Hagenaars" <blender () hagenaars com> Cc: <vuln-dev () securityfocus com> Sent: Friday, September 07, 2001 2:47 PM Subject: Re: a real way to stop an http based worm
On Fri, 7 Sep 2001, Gert-Jan Hagenaars wrote:Can this be done on the web-proxy boxes that the ISPs have on their networks? I.e. dunk anything that looks for "/default.ida?blah"?yep. reverse proxies can be configured to do this. and cisco ACLs can already reset/block such connections i believe. in short a good idea, and one that can already be implemented. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Current thread:
- a real way to stop an http based worm Gert-Jan Hagenaars (Sep 07)
- Re: a real way to stop an http based worm Jose Nazario (Sep 07)
- Re: a real way to stop an http based worm abel (Sep 07)
- Re: a real way to stop an http based worm The Crocodile (Sep 07)
- Re: a real way to stop an http based worm Jose Nazario (Sep 07)