Multiple ways to reduce attack surface, where is the evidence that blocking domains reduces the amount of security intrusions ?
For example, malicious code hosted on .ru, .vn, .cm, & .am sites. If these are excluded with a whitelist approach, they are of no concern. The user would have to deliberately allow them. EDIT Good grief, I guess I should have clarified blocking of "javascript" from the get-go of this thread
I'm sure NGRhodes knows how this works but doesn't answer his question regarding proof. At least it doesn't for me.
Seriously, i need to provide evidence malicious code can exist on the domains I've listed above oh well... http://www.mcafee.com/ca/about/news/2010/q4/20101026-02.aspx http://www.webhostingsearch.com/blog/dangerous-top-level-domains-on-the-internet-1188
Statistically I think most malicious domains are Chinese or Russian. Google put some research out about it a while back. If we're talking Javascript, then I whitelist.
Is there any evidence in practice or lab conditions that blocking TLDs would actually reduce the amount of malware the average web surfer would get ? If you are already running some other tool for security, e.g. AV and anti malware or anti execution, do tests show blocking TLD's offer any extra protection ? Without this information there is a risk of spreading FUD about the actual usefulness of blocking TLDs for security purposes. I do think blocking specific known bad domains [sub domains of tld's for clarity] is useful (and there are stats about on the web to prove usefulness of this), but TLDs I don't know. Cheers, Nick
If I stumble upon a normally safe site that's been exploited with js injection to redirect users to a malicious website that downloads trojans to the user's machine, then am I not left unaffected if one of the domains I've blocked is that of the malicious site? BTW, I would rather use as much as what's built-in to the O/S and browser as opposed to 3rd party utilities. I agree blocking TLD's is very broad in nature as opposed to sub-domains but it achieves the same results but with less granularity. I can always, and have, allowed sub-domains of my choice as I see fit. EDIT Maybe I've been too unclear throughout this thread, so I'll attempt to explain further... Let's say I default deny js but I whitelist only the following: .com .ca .gov .org .edu .uk .net I use a script blocking extension in the browser to allow only specific sites of my choosing that may fall under the category of the ones blocked by default, such as maybe somesite.ru, or anothersite.ko...just examples. If I happen to land on a site that has been js-exploited to redirect visitors to, say, badsite.cn, I should be unaffected because those domains are blocked by default. Yes there are exploits found on some sites with the domains I've whitelisted, but by default-denying all others, I reduce the chances - attack surface - of stumbling upon exploited sites, because it is fact there are exploits found on so many listed in McAfee's most dangerous domains list. There are other means as you mention, Nick, but why not utilize what's available in the browser or at least through a browser extension, since it's not only effective but it eliminates additional code introduced by 3rd party apps that might be used?
Who cares about lab conditions? We know that malware is often hostedn on .cn and .ru. That should be the only 'evidence' necessary to support a claim that blocking domains can be beneficial to security.
Russia and China get mentioned a lot when it comes to malicious sites and malware, but a lot of both come from the USA. http://www.trendmicro.com/us/security-intelligence/current-threat-activity/malicious-top-ten/ IMO, blocking by country doesn't improve your chances by any appreciable degree. Compromised sites can turn up anywhere, as can domains that serve up the malware.
Here we go, in addition to Hungry Man's support, another "heavy weight" member using a simiilar approach (right under Additional intrusion mitigation):
@wat0114 So I take it as you want to focus more on the contents of websites instead of the websites themselves?
Yes and no. I avoid all non-whitelisted domains as much as possible, because I rarely visit them anyway, but if I feel a want/need to visit a web site under one of them, I exercise careful control of the content I allow.
I'll bet false positives would be far more likely than any working malware with such a country-based whitelist.
Although it's possible in your case, it's impossible in mine. Sometimes (many times?) I need to access strange websites to get the info I was looking for. So my only option is content filtering. I'll tell you something, most unusual behaviors I've encountered in various websites are from .com-based websites. So manual TLD blocking barely gives any effect for me.
Yes, .com is the worst. of course I allow it within settings in Chrome, but then I use httpsb extension to filter the contents of the sites i visit, allowing only the required content.
Well, if I setup PeerBlock for blocking some IP's: Google -> Blocking 131,071 IP's Microsoft -> Blocking 1,849,147 IP's Spyware -> Blocking 285,056 IP's Hijacked -> Blocking 7,810,037 IP's This is just a partial list.
Yes, by blacklisting - Other... via my router. And block some IP's/ranges with Comodo FW. ... but I picked the wrong thing by accident, like a dumb arse, and went and screwed this whole poll up (picked whitelisting - yes instead). I'm so used to applying that default deny/whitelist regimen that it's just like a reflex.
