• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

viral redirects

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> viral redirects Page: [1]
Login
Message << Older Topic   Newer Topic >>
viral redirects - 1.Jun.2011 12:11:17 PM   
Satanmat

 

Posts: 26
Joined: 15.Aug.2008
Status: offline
I'm trying to block some traffic. I've seen the attack called "fast flux" i believe. where links go to <good gods don't try this at home> usps.com.track05.com </danger> for example

I'm trying to come up with a blocking rule, I've got it set to block *.com.*.com traffic but it still seems to get through ISA

any thoughts?
Post #: 1
RE: viral redirects - 2.Jun.2011 6:44:24 PM   
stevenrix

 

Posts: 101
Joined: 16.Feb.2011
Status: offline
From memory it is:
1)Create custom URL
2)Firewall policy> New Access Rule > Deny rule > Applies to all outbound traffic > From Internal > to External > to All Users > for custom URL *.track05.com

(in reply to Satanmat)
Post #: 2
RE: viral redirects - 3.Jun.2011 1:44:46 PM   
Satanmat

 

Posts: 26
Joined: 15.Aug.2008
Status: offline
Thanks for the reply.

We've blocked *.track05.com

I was more looking for a way to block these spammy hidden URLs where it is formed as

www.legitsite.com.spammyjerk.com

the rule doesn't seem to work that I wrote. trying to block

.com.*.com

ISA doesn't like that format, so the block doesn't work.

(in reply to stevenrix)
Post #: 3
RE: viral redirects - 10.Jun.2011 11:23:09 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

check this article for the right sintax: http://technet.microsoft.com/en-gb/library/cc302531.aspx

Altough, its for ISA 2004, still applies to ISA 2006 and TMG 2010.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Satanmat)
Post #: 4
RE: viral redirects - 10.Jun.2011 11:46:52 AM   
Satanmat

 

Posts: 26
Joined: 15.Aug.2008
Status: offline
thanks, I had read that, and yes I think the bad guys have won this round.

ISA does not seem to have a way to block this attack, it would seem

ISA cannot handle this sort of redirect.

thanks. looks like we just need to be vigilant. stupid users.

(in reply to paulo.oliveira)
Post #: 5
RE: viral redirects - 10.Jun.2011 5:29:59 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

what do you mean? You just need to create a Domain Name Set and block the entire URL (usps.com.track05.com) or just itīs domain (*.track05.com).

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Satanmat)
Post #: 6
RE: viral redirects - 10.Jun.2011 5:35:26 PM   
Satanmat

 

Posts: 26
Joined: 15.Aug.2008
Status: offline
yes, it is easy to block track05.

I was looking for a more generic block. something that would takeout this kind of attack

I'd like something that will block

www.legit.com.block_whatever_this_is.com

hence the request, I'd hoped to block com.*.com to stop this.

(in reply to paulo.oliveira)
Post #: 7
RE: viral redirects - 10.Jun.2011 5:59:30 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

I understand, but since you can not block using this sintax, is there any problem to block it using the suggestion I gave to you?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Satanmat)
Post #: 8
RE: viral redirects - 10.Jun.2011 6:11:24 PM   
Satanmat

 

Posts: 26
Joined: 15.Aug.2008
Status: offline
yes, there is.

we would never be able to keep up with all the random URLs that could be used.

track05
track04
tracko3
trackO2
etc....

(in reply to paulo.oliveira)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> viral redirects Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts