|
Posted by Todd H. on December 5, 2005, 3:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I'm new to this group and hope I'm not in left field...
>
> Looking at my firewall logs, it seems evident that there are many
> attempts per hour to exploit vulnerabilities that are blocked by the
> firewall.
>
> It is also pretty obvious what those attacks are (specific ports with
> known vulnerabilities etc). The packets presumably originate in hacked
> computers acting as zombies.
>
> If the routers first hop from the machines sending these packets where
> "trained" to spot such probes (doesn't seem very hard to do) and
> immediately blocked all traffic from the affected machines, it would
> prevent other machines from being hacked. The same would work for a
> DDOS attack: the best response is also distributed since each router
> has only to deal with traffic from a few machines.
>
> Anyone know if such a thing exists or is in the works? If not, is there
> a problem with the concept?
The problem is the likelihood for one man's attack signature match
being another man's legitimate traffic. And then the process for
someone to say, hey my http request isn't working, etc etc. Currency
of the attack signatures, and all that.
It would be great if ISP's were to implement such measures, but it
could also be a nightmare for users in the event of errant signatures
creeping in that represetnt legit traffic.
hell, I have a hard enough time telling my cable modem provider's
level 1 goons that their DNS servers are down, for instance. Imagine
if I had to explain "it appears my legitimate URL request of [blah] is
being swallowed by your router's attack filters." Imagine how many
times they'd have me unplug and replug my cable modem's power?
--
Todd H.
http://www.toddh.net/
| 
XML site map