Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Experimental Storm Worm DNS Blocklist


 Experimental Storm Worm DNS Blocklist
Published: 2007-09-13,
Last Updated: 2007-09-13 12:49:58 UTC
by Johannes Ullrich (Version: 1)
Threatstop is currently experimenting with a DNS based blocklist scheme to 
dynamically block storm worm infected hosts. Its a test list they offer for 
free to get some feedback on how well it works for people. The basic idea of 
their blocklist scheme is not like traditional DNS blocklists, which require a 
DNS lookup for each new IP address seen. Instead, you add a hostname to your 
blocklist, which will then resolve to multiple A records, each of which is an 
IP address to be blocked. It appears that most firewalls will refresh the list 
whenever the TTL for the record expires. Currently, the following hostnames can 
be used: basic.threatstop.com basic1.threatstop.com basic2.threatstop.com 
basic3.threatstop.com basic4.threatstop.com Each one resolves to a set of storm 
infected IPs. This is just a temporary service to test this distribution method 
with a larger set of users. For more details, see the threatstop.com website.


Copyright © Lexa Software, 1996-2009.