IDS mailing list archives
RE: Suggestions
From: Jose Nazario <jose () monkey org>
Date: Wed, 2 Jun 2004 15:40:20 -0400 (EDT)
on the throttling front, several people have been investigating the efficacy of this approach in the real world: An Automated Defense System to Counter Internet Worms, Riccardo Scandariato, John C. Knight, DSN 2004. http://dependability.cs.virginia.edu/publications/2004/scandariato-dsn04.pdf Dynamic Quarantine of Internet Worms, Cynthia Wong, Chenxi Wang, Dawn Song, Stan Bielski, Gregory R. Ganger, DSN 2004. http://www.pdl.cmu.edu/PDL-FTP/stray/DSN-04-worms_abs.html i agree that there are plenty of scenarios where this doesn't work, but the scenarios it's designed for (aggressive scanning worms) it works reasonably well. it's *a tool* in the arsenal, not a silver bullet. worms which use overlay networks (IM, mail, etc) wont be affected by network level throttles but they will be affected by application layer throttles, like anvil (in postfix), vthrottle (a milter for sendmail > 8.13) or sendmail itself (in 8.13, now in beta, and later). AOL IM already has throttling in the message routers hindering floods which pass through them, but not direct client communications. vthrottle, anvil, etc are not effective against outgoing worms/viruses from your own network that set up their own SMTP servers ("direct to MX" worms). firewall rules which enforce a site's mail server policy (ie egress port 25 filtering) can help here. vthrottle may catch inbound worms/viruses, but only after significant damage has been done. however, you can stem the tide and prevent totally rampant damage. it's a logical break, accepting that a worm will spread and that you can't prevent that. however, accept that and work with what you're left with, which is slowing it down some. and suddenly you find you have a few options open to you. ________ jose nazario, ph.d. jose () monkey org http://monkey.org/~jose/ http://infosecdaily.net/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Suggestions Drew Copley (Jun 02)
- RE: Suggestions Jose Nazario (Jun 02)
- <Possible follow-ups>
- RE: Suggestions Drew Copley (Jun 02)
- Re: Suggestions Ed Donegan (Jun 02)
- RE: Suggestions Rishi Pande (Jun 04)
- RE: Suggestions Ed Donegan (Jun 04)