… so I’m going to make the case that you should simply be blocking them en masse. But first, a little background.

Dynamic Addressing by ISPs

Internet Service Providers (ISPs) own blocks of contiguous IP addresses (aka “netblocks”) that they in turn assign to the computers that connect to the Internet through their service. When you sign up for DSL, Cable or even dial-up service and connect your computer to the Internet, the ISP assigns your computer an IP address from within a netblock it owns.

Some ISPs provide static IP services, where your computer keeps the same IP address all the time. But the vast majority of home computers are signed up for less expensive dynamic IP services, where your computer gets a new address each time it connects to the Internet. The address is often different every time you connect. But it’s always from within the same netblock.

This allows the ISP to sign up more customers than IP addresses it owns, kind of like how a bank is allowed to loan out money it doesn’t actually have in the vault. Since only a percentage of the ISP’s customers are connected at any give time, this works fine.

How to tell if an IP is in one of these Netblocks

My personal DSL provider is DSLExtreme. When my home computer connects to the Internet (actually, it’s my router), it’s always assigned an address in the netblock 72.25.123.0/24, which includes a range of IPs from 72.25.123.0 to 72.25.123.255.

(more…)

A few weeks ago, I wrote about how you can use the IRC blocking capability of your web filter to detect the presence of bots on your network. In that post, I assumed that we all understood the threat posed by bots — why they’re different from good ol’ fashioned malware infections. I’ve been asked to expand on that a bit, so here goes.

As we all know, the Internet has become a critical business tool and criminals have taken notice. Just as there is money to be made in doing business on the Internet, there is money to be made in carrying out crime on the Internet. And as criminals have focused more on the Internet, their tools have necessarily evolved and become more sophisticated.

Five years ago, the typical virus or worm author’s sole purpose was to gain notoriety and cause end-user headaches. Liabilities were limited to business outages and user downtime. Those are significant liabilities to be sure, but they seem almost quaint in light of the new threat landscape.

(more…)

We added seven new categories to the 8e6 Database (aka “the Library”) in the update that went out last night. I’d like to explain the rationale behind these categories as well as talk about some things you might want to take into consideration as you decide how to update your filtering policies.  Note: Only customers running version 2.0 and later of the R3000 will see these new categories.

The categories are:
(more…)

I worked for many years at Symantec in the Enterprise Security Group, where I wrote a slew of code for Symantec’s antivirus and client security products. In my time there, I talked to lots of IT Admins who were tasked (saddled?) with the responsibility of managing huge deployments of desktop security.

Their most difficult problems were always in the area of installation and deployment. Things like: How can you help me find all of the computers on my network that need AV installed on them? Can your product identify the source of an infection, so I can go find that computer and clean it up? It was all about managing and probing those dark corners of the network where desktop security wasn’t already deployed.

The solution is to use the security products that are at your gateway.

(more…)

The esteemed security group CastleCops was under a distributed denial-of-service attack back at the beginning of September. The DDoS apparently consisted of both a TCP SYN flood and an HTTP request flood. They posted some great data to help the community identify suspected zombie computers used to carry out the attack: an http log of suspicious web access from their site, and a list of IPs with whois data of possible bot infected hosts.

(more…)