[Emerging-Sigs] Blocks based on IP alone

Martin Holste mcholste at gmail.com
Sun Oct 17 14:06:18 EDT 2010


There are a lot of great minds on this list, so I'd like your input on
an on-going dilemma:  If you put IP-level blocks using firewall rules
and router ACL's for malware C&C, you can hinder the malware and
possibly prevent check-ins, but because the TCP handshake is never
completed, you only get firewall deny log messages to identify
infected hosts.  Without a full reporting URL, it's difficult to
identify whether it was a malware check-in that was blocked or
something less serious like adware also being served from the blocked
IP.

We currently auto-create incident tickets for various malware check-in
sigs, which really helps streamline our SIRT process.  It isn't
possible to do this based on ACL deny messages because there's less
fidelity in an IP deny message than an URL-based check-in message.  On
the other hand, it would be nice to cut off as much communication with
the malware servers as possible.  Web proxy filters are the obvious
solution to this problem, but we can't implement that across the
board, so consider that out of scope for the purposes of the
discussion.  We do implement IP-level blocks for sites we know to be
distributing malware binaries, just not the check-in servers.

I'm interested in what, if anything, other organizations are doing to
address this dilemma.

Thanks,

Martin


More information about the Emerging-sigs mailing list