RE: sober resurfacing

That should already be your firewall policy: block
everything by default except for that which you
explicitly need / permit. That includes outbound
connections as well, and not just NTP but everything.
[This isn't mandatory, but do realize that not doing
so provides less security and is advisable if you want
more security.]

If you're worried about breaking things, the usual
scenario is to set up a "permit but log" rule, and
check the log a few days later. Whether or not you
decide to block NTP, it's probably a good idea to keep
logging NTP traffic and checking the logs periodically
for signs of compromise, as long as you have the
resources to do so.

Having said that, don't assume that if the virus can't
make an NTP connection, it won't go ahead and try
downloading anyways. Blocking NTP may not block this
virus or future variants, depending.

The thing to note about these recent Sober articles is
that this has been going on for two years now. One
Sober.X activation date already came and gone, and
dozens of previous variants acted in the same way.
This is nothing new, except that the AV companies have
released more details this time, and the media is
making a bigger deal of it for some reason this time.

If you only block the list of URLs given, you'll
remain vulnerable when the next Sober variant comes
out and the AV companies decide not to publish a list
of the URLs.

- karl levinson

> -----Original Message-----
> From: Curt Shaffer [mailto:cshaffer@xxxxxxxxx]
> Sent: Thursday, December 15, 2005 11:50 AM
> To: focus-ms@xxxxxxxxxxxxxxxxx
> Subject: sober resurfacing
> All,
> I am working on a plan to try and help minimize the
effect of
> the possible
> sober resurfacing on Jan. 5/6th. After reading the
> focus article
> that this worm relies on NTP to know when to
release, I am
> wondering on the
> feasibility of blocking NTP out to the internet that
> except for the
> certain devices that need it. Does anyone have input
on this?

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around


Relevant Pages

  • Re: ntp synchronisation failed
    ... after this ping (before the ntpd-start) the first ntp ... >>uncommon for ntpdate to fail in the early stages of booting a system ... initial connections always time out and a RED FAIL was just too common ... I looked for closer and more reliable time servers. ...
  • Re: What do you think of my acces list?
    ... access-list 102 permit udp any eq domain any ... access-list 102 remark NTP inkomend toelaten ... access-list 102 permit udp host eq ntp any eq ntp ... access-list 102 deny ip any ...
  • Re: [opensuse] How to start a service on ip up?
    ... Hash: SHA1 ... Everything is working correctly but ntp: when it starts, ... after the network is up, ... Because it gets run by the ppp daemon, ie, for modem connections. ...
  • Re: ntp IOS Cisco 4506
    ... ntp server timeserver ... permit the ntp packets through. ...