What are the mechanisms to prevent users from visiting malware sites even when Single/Double flux methods are used? I am using snort inline IPS.
I had gone through http://www.honeynet.org/papers/ff/fast-flux.html and http://netsecinfo.blogspot.com/2008/04/botnets-using-fast-flux-and-double-flux.html. One of the mitigation technique mentioned is to apply domain block list. I feel that domain name based block list is CPU intensive. Are there any other simple methods? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
