I also would love to know if there are any methods which don't involve large number of rules.
You are right that IPS DNS traffic performance goes down by the number of domain name entries you have in the list. You can improve performance by configuring IPS to use DFA (software or hardware). You, as an admin or list maintainer, can improve performance by updating domain list by periodically monitoring their registrations. If domain names are deregistered, domain name can be removed from the list. At the same time, be prepared to add the domain names if they are re-registered. I recommend to have two lists - Master list and active list with master list having all malware domain names and active list containing subset of them. Thanks Srini -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Chunduru Sent: Monday, May 05, 2008 9:29 PM To: [email protected] Subject: Single and Double flux DNS activity detection and prevention What are the mechanisms to prevent users from visiting malware sites even when Single/Double flux methods are used? I am using snort inline IPS. I had gone through http://www.honeynet.org/papers/ff/fast-flux.html and http://netsecinfo.blogspot.com/2008/04/botnets-using-fast-flux-and-double-fl ux.html. One of the mitigation technique mentioned is to apply domain block list. I feel that domain name based block list is CPU intensive. Are there any other simple methods? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
