That should already be your firewall policy: block everything by default except for that which you explicitly need / permit. That includes outbound connections as well, and not just NTP but everything. [This isn't mandatory, but do realize that not doing so provides less security and is advisable if you want more security.]
If you're worried about breaking things, the usual scenario is to set up a "permit but log" rule, and check the log a few days later. Whether or not you decide to block NTP, it's probably a good idea to keep logging NTP traffic and checking the logs periodically for signs of compromise, as long as you have the resources to do so. Having said that, don't assume that if the virus can't make an NTP connection, it won't go ahead and try downloading anyways. Blocking NTP may not block this virus or future variants, depending. The thing to note about these recent Sober articles is that this has been going on for two years now. One Sober.X activation date already came and gone, and dozens of previous variants acted in the same way. This is nothing new, except that the AV companies have released more details this time, and the media is making a bigger deal of it for some reason this time. If you only block the list of URLs given, you'll remain vulnerable when the next Sober variant comes out and the AV companies decide not to publish a list of the URLs. - karl levinson > -----Original Message----- > From: Curt Shaffer [mailto:[EMAIL PROTECTED] > Sent: Thursday, December 15, 2005 11:50 AM > To: [email protected] > Subject: sober resurfacing > > > All, > > I am working on a plan to try and help minimize the effect of > the possible > sober resurfacing on Jan. 5/6th. After reading the security > focus article > that this worm relies on NTP to know when to release, I am > wondering on the > feasibility of blocking NTP out to the internet that week > except for the > certain devices that need it. Does anyone have input on this? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------
