ThreatSTOP in the real world

Simon Woodhead

Simon Woodhead

6th September 2012

We’ve mentioned ThreatSTOP repeatedly in the past. It is an IP Reputation service which provides a critical compliment to any firewall, from iptables through to high-end hardware based solutions. It blocks traffic to AND from known bad IP addresses, those addresses being continually updated. Our honeypot and darknet are data sources but there are dozens more, including some which to put it bluntly you need to listen to.

The service is delivered over DNS and configured through a web interface. You can choose from 30 or so different data feeds to apply, configure your own white/black lists, and even apply geographic filtering to block areas of the world you do not do business with but may see high levels of intrusion attempts from. If your firewall can submit logs back it will also report on what has been dropped and why.

So why are we banging on about this? Three reasons:

  • – we use it ourselves and can evidence the results
  • – a recent report from McAfee shows the largest rise in malware in 4 years
  • – pricing has been dramatically reduced from September 1st and is now at a level which should be a no-brainer for your own equipment and a revenue opportunity for you in protecting your customers

Our results

We apply multiple layers of security to our network for obvious reasons. It is fair to say that most traffic gets blocked by our basic firewall rules, e.g. Conficker traffic on port 445 will not be passed simply because port 445 has no services listening on it. As our Darknet research has shown, the majority of ‘noise’ on the Internet is represented by this and similar. Then there’s the network scans seeking open ssh ports etc. – we block them too. In fact there’s not a lot we don’t block, keeping open only essential ports.

But what about the ports we have to have open e.g. SIP on port 5060 or HTTP on port 80? Our IPSs may examine packets to them for known signatures and block those matching but traffic may not match a signature.  All that is left on those ports is legitimate traffic, or at least what looks like legitimate traffic.

ThreatSTOP on our firewalls then compares that with a known list of millions of IP addresses known to be bad right now and blocks any matches. One might say it monitors intent rather than content.

As a SIP network, what is blocked is heavily skewed towards UDP at broadly 50%, with ICMP and TCP making up the balance. Overall half of the traffic blocked is port 5060 SIP and port 80 TCP, traffic that would otherwise have been passed. What is most interesting though is the extent of traffic blocked which on the face of it shouldn’t be there due to policies higher up. There’s numerous reasons for this which are an article in themselves but the key point is that simply blocking ports, or worse still kidding yourself NAT is offering any protection is not adequate today.

Overall we estimate ThreatSTOP drops 5-25% of the traffic dropped coming into the network. It varies by day according to the ferocity of the attack but even 5% is a huge figure. As mentioned the balance is dropped by conventional port blocking and other security devices sitting higher up. Doubtless without them there it would drop far more.

Also keep in mind it is dropping the first packet so we have no notion whatsoever of what bandwidth this represents. We would estimate that if our equipment was naked on-line though that nefarious traffic would represent around 10% of bandwidth. Of course, that is 10% just trying penetrate and if successfully compromised we’d see that figure skyrocket.

Finally, note that we’re talking about blocking incoming intrusions here. The vast majority of the utility of ThreatSTOP for most people is blocking outgoing packets. It is almost guaranteed that somewhere on your servers or workstations there lurks all manner of malware, all making ‘calls home’ to be given instructions. Those instructions are often to participate in an attack on some innocent third party but are increasingly used for information disclosure, e.g. if someone controls software on a workstation and that workstation has access to file shares and databases then those are available to the attacker. ThreatSTOP blocks calls home to known hosts, rendering malware using them impotent.

McAfee Threats Report

McAfee have announced their Threats Report for Q2 2012. It found the biggest increase in malware samples detected in the last four years. If you have time you should read it yourself but it shows a 1.5m increase in malware threats since Q1 2012 with a sample discovery rate accelerating to nearly 100,000 per day. Not only does the rise show no sign of slowing but one has to ask – are your AntiVirus and AntiMalware vendor keeping up with it?

Finally, the report includes interesting info on newly identified threats affecting mobile devices with the help of ‘Drive-by-Downloads’ and Twitter. As a matter of interest, how many BYOD (bring your own device) such as employee-owned mobiles are using your office WiFi right now?

So the question remains: What are you doing about it?

Contact us for a free trial of ThreatSTOP and aside from the health benefits of sleeping better you’ll be able to see the extent of badness on your network in the reporting. We think you’ll be shocked.

Reduced pricing & opportunity

ThreatSTOP is sold as an annual subscription, per device. The charge depends on the device used and starts from just $895 for a very small SoHo style firewall. Pricing is available for virtual machines, hardware firewalls and by core for software solutions based on commodity hardware. Please contact us for a quote for your own situation.

Whilst we’d love to see all our customers using it for their own equipment there’s a bigger opportunity here. Most of our customers supply services in one form or another to end users and the product fits perfectly there. As a ThreatSTOP distributor we can enable you to sell the product to your customers, supplying it to you at a healthy discount.

If you’d like a free trial setting up for yourselves or any of your customers, please get in touch.


Related posts