IDS mailing list archives
RE: Single and Double flux DNS activity detection and prevention
From: "Srinivasa Addepalli" <srao () intoto com>
Date: Wed, 7 May 2008 09:08:06 -0700
I also would love to know if there are any methods which don't involve large number of rules. You are right that IPS DNS traffic performance goes down by the number of domain name entries you have in the list. You can improve performance by configuring IPS to use DFA (software or hardware). You, as an admin or list maintainer, can improve performance by updating domain list by periodically monitoring their registrations. If domain names are deregistered, domain name can be removed from the list. At the same time, be prepared to add the domain names if they are re-registered. I recommend to have two lists - Master list and active list with master list having all malware domain names and active list containing subset of them. Thanks Srini -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ravi Chunduru Sent: Monday, May 05, 2008 9:29 PM To: focus-ids () securityfocus com Subject: Single and Double flux DNS activity detection and prevention What are the mechanisms to prevent users from visiting malware sites even when Single/Double flux methods are used? I am using snort inline IPS. I had gone through http://www.honeynet.org/papers/ff/fast-flux.html and http://netsecinfo.blogspot.com/2008/04/botnets-using-fast-flux-and-double-fl ux.html. One of the mitigation technique mentioned is to apply domain block list. I feel that domain name based block list is CPU intensive. Are there any other simple methods? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Single and Double flux DNS activity detection and prevention Ravi Chunduru (May 06)
- Re: Single and Double flux DNS activity detection and prevention john lokka (May 07)
- RE: Single and Double flux DNS activity detection and prevention Srinivasa Addepalli (May 07)