> -----Original Message----- > From: Duncan Hill [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 03, 2004 8:52 AM > To: [EMAIL PROTECTED] > Subject: Re: OT - myDoom why not fight back? > > > On Tuesday 03 February 2004 13:45, Fred wrote: > > > This concept was done before (welchia?) but they made a bad > choice. My > > intent is not to infect them with a copy of said evil > program but only to > > close the infection and inform the user, no harm done. > > > > I'm thinking this would be just as bad as creating a virus, > but at least > > someone was fighting for the people! > > The problem is, what if your 'benign' fix doesn't account for > something it has > never seen before, and (at a long stretch) formats the drive > of the machine > it is trying to fix? Which is worse, the fix or the problem? > > It's a nice idea, but really and truly, the fix should be > made in other ways, > including but not limited to: > * ISPs disabling port 25 outbound from client IP pools unless > the client can > prove a reason to have that access. Everyone else either > gets blocked, or > use transparent proxying to force port 25 to the ISP mail server. > * ISPs running AV engines on inbound and outbound queues. > This has the effect > of slowing mail down a bit, but it's worth it. > * Companies setting their firewalls to not allow 25 outbound > from anything but > a registered mail server. > * Companies running combination gateway + server + desktop AV engines > > None of those options are cheap, but they are doable. If you > can, run the > outbound SMTP checker before the 200 status code returned on the DATA > segment. Deliveries will take a bit longer from the client > point of view, > but viruses can be rejected before they have a chance to be > passed into the > net. >
The best idea I heard so far was ISPs quaruntining the infected machines. All traffic is blocked, and any website gets diverted to a web page explaining that the user is infected and how to fix the infection. This does rewuire active scanning by the ISP. On a side note, to stop some of the DDOS, is it possible for ISPs to static route a domain to local 127.0.0.1?? SO for the first day of a scheduled DDOS, an ISP would route all www.sco.com traffic to the users own system. That would save a lot of traffic :) --Chris
