08-11-07

A lesson in blacklisting and whitelisting

I received a listing of sites that are involved in a botnet-rootkit-zeroday attack on the network of a reader of this blog. If you have logs like this send them to the central international coordination center at http://isc.sans.org they even have a tool that sends them automatically

but I thought I will take the logfile and construct a block-blacklist out of them and learn you guys maybe something about how to set up such a list if you are confronted with such an event (as antivirus and antimalware tools are sometimes helpless for days or weeks before being able to defend you against the new tricks online).

It is clear from the attack that it is based on scripts and lists that are online and that are being placed on websites that maybe don't know that they are a vehicle for such a zombie attack against others (even if it could lead to financial damages under European law - tell this to your boss if you wants to diminish your security budget).

So we have to limit the outgoing http traffic of your computers on your network to those sites or domains. Just to be sure that if a site gets infected he can't get his contacts or updates from the network infrastracture of the botnet.

The first thing to do is to select the domainnames that come from dangereous cybercountries with which you have no relation or business contacts. Here you should change from blacklisting domains to whitelistings sites (everything is blocked except these sites). Put a phonenumber on your intranet where people can ask to whitelist a site for 'business reasons'.

The second thing to block if you are in a business network are the freehosters that clearly have no security service or don't care a bit and that are distributing malware and are zombie infected. Most of the free hosters seen in this attack are already in other blacklists for this.

The third thing is the list of the rest of the sites. In a good proxy you should be able to have a blacklist as long as you which without any effect on your speed. You can use also other services but you should test them first and count the false negatives.

Some years ago the specialists laughed with urlfiltering and said it was useful, now it has become a necessary component of a fast response against new and fast moving attacks. It also have a good impact on your defenses because they just need to drop it, not analyse it. So if you have a ddos and you know where it comes from and it is repeatingly from the same sources, this will help (remember 11/11)

If your users have nothing to do in the following countries
just block them

these domains are really high risk and should be blacklisted
and individual destinations should be whitelisted
*.ru russia
*.ro romenia
*.us not much used by USA states
*.tm not a country domain, but spammy
*.by Belarusse

These are other domains for consideration of blocking

*.tw taiwan
*.cl chili
*.to tongo

It is much more difficult to block .nl, .org, .it, .de
and so on

Free webspace hosters
blocking those can block some normal sites
the question is if users may go to personal sites

ifrance.com
geocities.com
ifreepages.com
bravehost.com
100webspace.net

Sites
lostwarriors.com
palahunterz.de
miniradio.no
altervista.org
rfidstore.it
black8.at
kit.net
soundoph.com
trosken.com
myhyanggi.com
pikant.hu
j24usa.com
godsteam.org
eventtoday.com
enteractive.nl
jazztel.es
bsalsa.com
intensivecareunit.co.uk
destra.ca
americanoffroaddepot.com
ripway.com
sunrunnerveterans.com
sg1-atlantis.com
orlandochristiansingles.org
theranchjohnstown.com
soundoph.com
kit.net
freehostia.com
mit-mediation.de

Some proxies and blocking tools want that you put a . or *. before the domainname.

You use this at your own risk. I am not resonsable if you use it without testing. It doesn't necessary mean that any contact to these domains shows an infection. It just gives you less work so you don't have to change the link, the domain or the way it is written or the IP address. Do not use this for other protocols like smtp.

Your input is always welcome

10:36 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (1) |  Facebook |

Commentaren

block list Good step
I would like to do exactly with my apache servers what I do with sendmail and the spamhaus spamcop rbl black lists.
It would be great to request a belgian dns server on the reliability of an http user
There is a nice project http:BL
on http://www.projecthoneypot.org/httpbl_implementations.php
but the site is closed for maintenance ;-)

Gepost door: lapaile | 08-11-07

De commentaren zijn gesloten.