RE: Single and Double flux DNS activity detection and prevention



I also would love to know if there are any methods which don't involve large
number of rules.

You are right that IPS DNS traffic performance goes down by the number of
domain name entries you have in the list. You can improve performance by
configuring IPS to use DFA (software or hardware).

You, as an admin or list maintainer, can improve performance by updating
domain list by periodically monitoring their registrations. If domain names
are deregistered, domain name can be removed from the list. At the same
time, be prepared to add the domain names if they are re-registered. I
recommend to have two lists - Master list and active list with master list
having all malware domain names and active list containing subset of them.

Thanks
Srini


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Ravi Chunduru
Sent: Monday, May 05, 2008 9:29 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Single and Double flux DNS activity detection and prevention

What are the mechanisms to prevent users from visiting malware sites
even when Single/Double flux methods are used? I am using snort
inline IPS.

I had gone through http://www.honeynet.org/papers/ff/fast-flux.html
and
http://netsecinfo.blogspot.com/2008/04/botnets-using-fast-flux-and-double-fl
ux.html.

One of the mitigation technique mentioned is to apply domain block
list. I feel that domain name based block list is CPU intensive. Are
there any other simple methods?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.

Intoto Inc.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Does anybody know a PeerGuardian like app?
    ... FreeBSD's base system brings the IPFW firewall that can be ... used to block IPs, ranges of IPs or lists. ...
    (freebsd-questions)
  • Re: What addresses to put on my NEW black list?
    ... But if you still want to blacklist ips, just from a security stantpoint, you'd definitly want to use a bogon list. ... To use either, you need to make sure the lists are updated frequently, as IPs are added and removed pretty fairly frequently. ... applications and shut them down at the firewall level. ... Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • RE: Publishing Nimda Logs == BAD IDEA
    ... Education for the uninformed. ... IPs ... many of its infected hosts are actually out of the ... if you have your own lists of infected hosts, ...
    (Vuln-Dev)
  • Publishing Nimda Logs == BAD IDEA
    ... IPs ... many of its infected hosts are actually out of the ... if you have your own lists of infected hosts, ... think community police, not lynch mob. ...
    (Vuln-Dev)
  • Publishing Nimda Logs == BAD IDEA
    ... IPs ... many of its infected hosts are actually out of the ... if you have your own lists of infected hosts, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)