[Discussion] Why IDS sucks

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17.10.2008, at 16:25, Matt Jonkman wrote:

> Ya, we tried some things for low ttl dns, but it's used in legit apps
> too often.
>
> Only real way I see to effectively go after fast flux might be dns
> blacklisting. Most of them last for more than days, so blacklisting is
> relatively effective is we can keep effective sandnetting and intel
> gathering going. (Which is what we're trying to do at emerging threats
> for the long term)

Or use a scoring approach (developed by Robert Danford) similar to  
what Arbor uses for their fast-flux identification (http:// 
atlas.arbor.net/summary/fastflux). This seems to work well in  
practice, you need only a small whitelist for hosts like  
db.us.big.clamav.net

More details in our MALWARE'08 paper: https://honeyblog.org/archives/ 
206-MALWARE08-As-the-Net-Churns-Fast-Flux-Botnet-Observations.html

Cheers,
  Thorsten

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]