RE: Single and Double flux DNS activity detection and prevention

["Srinivasa Addepalli" <srao () intoto com>]

I also would love to know if there are any methods which don't involve large
number of rules.

You are right that IPS DNS traffic performance goes down by the number of
domain name entries you have in the list.  You can improve performance by
configuring IPS to use DFA (software or hardware). 

You, as an admin or list maintainer, can improve performance by updating
domain list by periodically monitoring their registrations. If domain names
are deregistered, domain name can be removed from the list. At the same
time, be prepared to add the domain names if they are re-registered. I
recommend to have two lists - Master list and active list with master list
having all malware domain names and active list containing subset of them.

Thanks
Srini


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ravi Chunduru
Sent: Monday, May 05, 2008 9:29 PM
To: focus-ids () securityfocus com
Subject: Single and Double flux DNS activity detection and prevention

What are the mechanisms to prevent users from visiting malware sites
even when Single/Double flux methods are used?  I am using snort
inline IPS.

I had gone through http://www.honeynet.org/papers/ff/fast-flux.html
and
http://netsecinfo.blogspot.com/2008/04/botnets-using-fast-flux-and-double-fl
ux.html.

One of the mitigation technique mentioned is to apply domain block
list.  I feel that domain name based block list is CPU intensive.  Are
there any other simple methods?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the intended recipient, 
please immediately notify the sender by reply email and destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------