IDS mailing list archives
RE: Suggestions
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 2 Jun 2004 14:07:29 -0700
-----Original Message----- From: Jose Nazario [mailto:jose () monkey org] Sent: Wednesday, June 02, 2004 12:40 PM To: Drew Copley Cc: focus-ids () securityfocus com Subject: RE: Suggestions on the throttling front, several people have been investigating the efficacy of this approach in the real world: An Automated Defense System to Counter Internet Worms, Riccardo Scandariato, John C. Knight, DSN 2004. http://dependability.cs.virginia.edu/publications/2004/scandar iato-dsn04.pdf Dynamic Quarantine of Internet Worms, Cynthia Wong, Chenxi Wang, Dawn Song, Stan Bielski, Gregory R. Ganger, DSN 2004. http://www.pdl.cmu.edu/PDL-FTP/stray/DSN-04-worms_abs.html i agree that there are plenty of scenarios where this doesn't work, but the scenarios it's designed for (aggressive scanning worms) it works reasonably well. it's *a tool* in the arsenal, not a silver bullet.
Oh yeah, I in no way disagree. It is a very clever concept, and is perfect for devices on the wire but without lower level 'on the box protection'. Therefore, it is extremely suitable for back up boxes. Throttling type techniques are excellent 'on the box' as well for numerous types of attacks, especially attacks like denial of service attacks and the associated.
worms which use overlay networks (IM, mail, etc) wont be affected by network level throttles but they will be affected by application layer throttles, like anvil (in postfix), vthrottle (a milter for sendmail > 8.13) or sendmail itself (in 8.13, now in beta, and later). AOL IM already has throttling in the message routers hindering floods which pass through them, but not direct client communications.
Right... very aware of this.
vthrottle, anvil, etc are not effective against outgoing worms/viruses from your own network that set up their own SMTP servers ("direct to MX" worms). firewall rules which enforce a site's mail server policy (ie egress port 25 filtering) can help here. vthrottle may catch inbound worms/viruses, but only after significant damage has been done. however, you can stem the tide and prevent totally rampant damage. it's a logical break, accepting that a worm will spread and that you can't prevent that. however, accept that and work with what you're left with, which is slowing it down some. and suddenly you find you have a few options open to you.
In no way disagree... and I really like the papers. I was just noting a few side points.
________ jose nazario, ph.d. jose () monkey org http://monkey.org/~jose/ http://infosecdaily.net/
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Suggestions Drew Copley (Jun 02)
- RE: Suggestions Jose Nazario (Jun 02)
- <Possible follow-ups>
- RE: Suggestions Drew Copley (Jun 02)
- Re: Suggestions Ed Donegan (Jun 02)
- RE: Suggestions Rishi Pande (Jun 04)
- RE: Suggestions Ed Donegan (Jun 04)