Author: M.Prince (30 Apr 07 4:55pm)
Check out this article from the Washington Post:
http://blog.washingtonpost.com/securityfix/2007/04/building_a_webbased_neighborho_1.html
This shows one of the potential benefits of http:BL. While it is tempting to simply bad all IPs that show up on the http:BL list, remember that some of them are computers that have been turned into zombies by viruses or trojans. If those of you implementing http:BL can include information on how human users of these IPs can clean their machines, we can provide notice to a lot of unknown zombies out there.
What we have done with the Apache module, and what we recommend for all robust implementations of http:BL, is that a website administrator be given a tool whereby they can designate IPs that appear but have not crossed a certain threat score threshold be given a challenge. If the human user passes the challenge, we white list them for the session and allow them to access the site.
But -- and here's the cool part -- this is an opportunity to educate a user whose machine may have been zombied. Tell them they appear on the http:BL list. Tell them a potential cause is that their machine has a virus or trojan. Point them to the resources to clean up their computer. If a significant number of sites implement http:BL in this way, as the article suggests, we can go a long way to controlling the zombie problem.
|