[Dshield] DShield's Public Goals

Jon R. Kibler Jon.Kibler at aset.com
Thu Jan 5 23:28:57 GMT 2006


David Cary Hart wrote:
> Hypothetically, much - if not most - of the malicious content that spreads
> around is designed to install SMTP on the host in order to relay spam and
> replication attachments. Judging from some of the patterns that I see, it seems
> that individuals are building networks of hundreds of machines that they
> control through IRC.

Port blocking has become nearly worthless. It is simply too easy to hide in plain sight using such things as TOR (which is what the really nasty malware is using -- not SOCKS) and covert channels. Software such as loki, http port, and countless other 'goodies' (such as shoveled shells) are the real issue. Also, I have recently seen a bunch of malware that is using IRC on non-standard ports -- blocking ports becomes an endless game of one-upsmanship.

A better idea is ingress and egress filtering by ISPs, local networks, and EVERY host. What should be filtered?
   1) Bogus IP Addresses (EVERYONE!):
      a) Inbound -- any bogus address
      b) Outbound -- any address not sourced on that network
   2) Ports (LANs/Hosts):
      a) Inbound:
         o  Only allow established connections or new connections to specific ports on specific hosts
         o  Severely restrict ICMP
         o  Restrict any unsupported protocol
         o  All end-user connections must be through proxies
      b) Outbound:
         o  Only allow connections from proxy servers or limited services (such as DNS) on specific hosts
         o  Restrict any unsupported protocol
         o  Do not allow application or user ICMP
   3) Content (LANs):
      a) Proxy servers should filter all outbound content for policy exceptions
      b) Proxy servers should filter all inbound content for malware

My $0.02 worth.

Jon
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list