Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Rate limiting connections to new hosts to slow the spread of wormsRate limiting connections to new hosts to slow the spread of wormsPosted Feb 8, 2003 0:17 UTC (Sat) by fgouget (guest, #4601)Parent article: The MS-SQL worm: lessons for free software There was an interesting article (which of course I can't find anymore so I'll try to explain what it said) that advocated modifying 'desktop' OSes to rate limit connections to *new* IP addresses. With each new worm it becomes more obvious that this is something worth implementing. Note that the proposal is not to rate limit the packets you send to a given IP address. Rather it keeps track of the list of hosts your machine has sent packets to in the past, and limits the rate at which new hosts are added to that list. For instance it could keep track of the last 64 hosts (IP addresses really) and allow up to 10 new addresses to be added per second. For normal use this would have no impact as typical desktops connect to few new hosts even when surfing the web (around 3 or 4 at a time). But such a scheme would tremendously slow down the spread of a worm like CodeRed or Slammer: instead of probing 100 to more than a 1000 new hosts per second it would only be able to scan 10 new hosts per second. This would give administrators more time to react. The best place to implement this would be in an iptables module, ipfw, in other words any firewal or router and, please, where the worms live... Windows!
(Log in to post comments)
|
|||||||||||