-
The worm blockers on the previous two slides are effective.
But what if:
-
An infected dial-up user is blocked, and then subsequent
users on the same line can't reach your site?
-
An infected user is behind a NAT firewall or transparent
proxy/cache?
-
A malicious third party posts (or e-mails to users) links
which, when followed, set off the worm blocker?
-
Some possible solutions:
-
Require a minimum number of hits from an IP address before
blacklisting it (Nimda and Code Red never knock just once)
-
Amnesty policy: "Forgive" IPs (either unconditionally
or if "well-behaved") after a certain amount of time
-
Other refinements
-
Notify administrator of current block list so that he
or she can contact repeat offenders by phone or e-mail
-
Add a "do not block" list that works by IP and/or domain
-
We can never prevent all potential problems, but can do
pretty well
-
Because SNOBOL4 has hashes, can send mail, etc., the SNOBOL4
program can be adapted to implement any desired policy
|