[Dshield] DNS blackholes

Mark markt442 at yahoo.com
Mon Dec 12 21:54:40 GMT 2005


Of course with policy-based switches, you can disable
the entire subnet with one classification rule. On my
Enterasys switches, I just add a classification rule
to "deny" on that IP or subnet, and every port on my
network becomes a virtual firewall (not stateful mind
you - just an analogy).

That and I don't allow my users to run network
services such as their own DNS, SMTP, Web or TFTP
servers. Has stopped replication of many virii that
have made their way past traditional defenses.

>From my older Cisco days, you could always manage your
ACLs. I just find the Enterasys environment MUCH
easier to deploy with.

Note: many newer virii are shipping with their own DNS
tables. That is, they put a local entry of 127.0.0.1
for many a/v sites. This tactic as it matures will be
used to avoid many DNS type blocks. Locking the local
DNS table is one method to circumvent this attack -
but hey, root's root if you know what I mean.

One of Microsoft's NAP features is to Quarantine end
systems by assigning them an IP mapped to a DNS that
masks out most sites. The weakness in this solution is
the virus that will use it's own DNS table. The
network devices you manage are much safer bet for
trapping and locking.

Of course, that's just my opinion and YMMV.

-Mark


Forwarded Message
From:	"Martin Forest" <martin at forest.gen.nz>
Subject:	Re: [Dshield] DNS blackholes
Date:	Sat, 10 Dec 2005 12:47:37 +1300
To:	"General DShield Discussion List"
<list at lists.dshield.org>

If the user knows the ip address, they can go there
without dns, either by ip address in the url or put an
entry in the hosts file. The only way to make sure you
block the server is to nullroute/acl/firewall the ip 
address(s). If you have a fortinet firewall, you can
do some clever web  blocking. And in the next major
version, there are some really neet  functions for
blocking...
/Martin Forest

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the list mailing list