|
Focus on IDS
Single and Double flux DNS activity detection and prevention May 06 2008 04:28AM Ravi Chunduru (ravi is chunduru gmail com) (2 replies) Re: Single and Double flux DNS activity detection and prevention May 07 2008 04:41AM john lokka (merigoth gmail com) |
|
|
Privacy Statement |
number of rules.
You are right that IPS DNS traffic performance goes down by the number of
domain name entries you have in the list. You can improve performance by
configuring IPS to use DFA (software or hardware).
You, as an admin or list maintainer, can improve performance by updating
domain list by periodically monitoring their registrations. If domain names
are deregistered, domain name can be removed from the list. At the same
time, be prepared to add the domain names if they are re-registered. I
recommend to have two lists - Master list and active list with master list
having all malware domain names and active list containing subset of them.
Thanks
Srini
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Ravi Chunduru
Sent: Monday, May 05, 2008 9:29 PM
To: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Single and Double flux DNS activity detection and prevention
What are the mechanisms to prevent users from visiting malware sites
even when Single/Double flux methods are used? I am using snort
inline IPS.
I had gone through http://www.honeynet.org/papers/ff/fast-flux.html
and
http://netsecinfo.blogspot.com/2008/04/botnets-using-fast-flux-and-doubl
e-fl
ux.html.
One of the mitigation technique mentioned is to apply domain block
list. I feel that domain name based block list is CPU intensive. Are
there any other simple methods?
Thanks
Ravi
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=in
tro_sfw
to learn more.
------------------------------------------------------------------------
************************************************************************
********
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
Intoto Inc.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
[ reply ]