I deal in IDS'es more than IPSes. So, I feel the domain blocks would be better suited for the dns server rather than the IPS. Although I imagine they could work equally well on an IPS. Still, I don't know if there are generic signature detection of fast-flux networks for IDS/IPS systems.
I attended a brief at NDSS on fast-flux detection methods. The research presented was new and wasn't able to be automated. The presented research was an initial framework. So, it was a started to automating the process. I wish I had more time to invest towards this problem, because I believe it is an excellent and difficult one to solve. If anyone is working on this problem, I'd be interested. John Lokka On Mon, May 5, 2008 at 6:28 PM, Ravi Chunduru <[EMAIL PROTECTED]> wrote: > What are the mechanisms to prevent users from visiting malware sites > even when Single/Double flux methods are used? I am using snort > inline IPS. > > I had gone through http://www.honeynet.org/papers/ff/fast-flux.html > and > http://netsecinfo.blogspot.com/2008/04/botnets-using-fast-flux-and-double-flux.html. > > One of the mitigation technique mentioned is to apply domain block > list. I feel that domain name based block list is CPU intensive. Are > there any other simple methods? > > Thanks > Ravi > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
