Welcome to ISAserver.org

viral redirects

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> viral redirects

Page: [1]

Message

<< Older Topic Newer Topic >>

viral redirects - 1.Jun.2011 12:11:17 PM

Satanmat

Posts: 26
Joined: 15.Aug.2008
Status: offline

I'm trying to block some traffic. I've seen the attack called "fast flux" i believe. where links go to <good gods don't try this at home> usps.com.track05.com </danger> for example

I'm trying to come up with a blocking rule, I've got it set to block *.com.*.com traffic but it still seems to get through ISA

any thoughts?

Post #: 1

Featured Links*

RE: viral redirects - 2.Jun.2011 6:44:24 PM

stevenrix

Posts: 101
Joined: 16.Feb.2011
Status: offline

From memory it is:
1)Create custom URL
2)Firewall policy> New Access Rule > Deny rule > Applies to all outbound traffic > From Internal > to External > to All Users > for custom URL *.track05.com

(in reply to Satanmat)

Post #: 2

RE: viral redirects - 3.Jun.2011 1:44:46 PM

Satanmat

Posts: 26
Joined: 15.Aug.2008
Status: offline

Thanks for the reply.

We've blocked *.track05.com

I was more looking for a way to block these spammy hidden URLs where it is formed as

www.legitsite.com.spammyjerk.com

the rule doesn't seem to work that I wrote. trying to block

.com.*.com

ISA doesn't like that format, so the block doesn't work.

(in reply to stevenrix)

Post #: 3

RE: viral redirects - 10.Jun.2011 11:23:09 AM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

check this article for the right sintax: http://technet.microsoft.com/en-gb/library/cc302531.aspx

Altough, its for ISA 2004, still applies to ISA 2006 and TMG 2010.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Satanmat)

Post #: 4

RE: viral redirects - 10.Jun.2011 11:46:52 AM

Satanmat

Posts: 26
Joined: 15.Aug.2008
Status: offline

thanks, I had read that, and yes I think the bad guys have won this round.

ISA does not seem to have a way to block this attack, it would seem

ISA cannot handle this sort of redirect.

thanks. looks like we just need to be vigilant. stupid users.

(in reply to paulo.oliveira)

Post #: 5

RE: viral redirects - 10.Jun.2011 5:29:59 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

what do you mean? You just need to create a Domain Name Set and block the entire URL (usps.com.track05.com) or just it�s domain (*.track05.com).

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Satanmat)

Post #: 6

RE: viral redirects - 10.Jun.2011 5:35:26 PM

Satanmat

Posts: 26
Joined: 15.Aug.2008
Status: offline

yes, it is easy to block track05.

I was looking for a more generic block. something that would takeout this kind of attack

I'd like something that will block

www.legit.com.block_whatever_this_is.com

hence the request, I'd hoped to block com.*.com to stop this.

(in reply to paulo.oliveira)

Post #: 7

RE: viral redirects - 10.Jun.2011 5:59:30 PM

paulo.oliveira

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

Hi,

I understand, but since you can not block using this sintax, is there any problem to block it using the suggestion I gave to you?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to Satanmat)

Post #: 8

RE: viral redirects - 10.Jun.2011 6:11:24 PM