[Emerging-Sigs] Blocks based on IP alone

Robert Kerr rob at rkerr.co.uk
Mon Oct 18 03:03:06 EDT 2010

On Sun, 2010-10-17 at 13:06 -0500, Martin Holste wrote:
> There are a lot of great minds on this list, so I'd like your input on
> an on-going dilemma:  If you put IP-level blocks using firewall rules
> and router ACL's for malware C&C, you can hinder the malware and
> possibly prevent check-ins, but because the TCP handshake is never
> completed, you only get firewall deny log messages to identify
> infected hosts.  Without a full reporting URL, it's difficult to
> identify whether it was a malware check-in that was blocked or
> something less serious like adware also being served from the blocked
> IP.

Rather than blocking these IPs outright why not route them to honeypot
type box that has fake services? Just having a webserver on there allows
you to catch a large percentage of malware. You can use netcat to catch
traffic on other ports.

Once you have this in place you can also start manipulating DNS to point
at it. If you for example find a fast-flux hostname that is being used
by a bot, you can configure your DNS server to point that name to the

 Robert Kerr

More information about the Emerging-sigs mailing list