http://blog.fireeye.com/research/2008/10/storm-just-befo.html

White listing is not really a new concept, but I have to disagree with you and say that it is actually very hard to maintain. The internet was created as an open public form of communication and designed this way. Security really didn’t come into the design model until later on. Creating white lists would mean for any company that hosts a public web server they would need to index the entire internet IP space, which would defeat the purpose of white listing. Take ebay for example, how would they incorporate white listing into their business model? Now lets look at users and how white listing will affect them. You will need to index every single legitimate IP on the internet that a user may want to go to. So monitoring for new websites hosted on new IPs would be insanely tough if not impossible. Let’s take another approach to white listing, lets say you have strict policies on you users internet use, so indexing every single IP that hosts a legitimate web site isn’t an issue but these users require VPN access back into the company. This sounds simple right? I don’t think it is as most ISPs use DHCP to serve out IP addresses to their subscribers and if you white list their IP on Monday it doesn’t mean they will have that same IP address on Friday, again making it insanely tough to maintain.

For the email spoofing I prefer the concept of Sender Policy Framework over white lists, as again I believe white listing to be a cool concept just not a maintainable one. Mail is routed by looking up MX records. These MX records allow me to change my IP address at anytime and not affect mail operations, so if I created white lists of authorized mail server IPs that can send me mail I would have to constantly monitor these domain IP spaces for new MX records to ensure I don’t break mail flows at any given time. One thing I have learned in my IT career is you don’t break email for any reason unless you want to get fired or beat down by an angry mob of users.

As far as being able to prevent DDoS attacks, I don’t see this working all the time. Let’s say I do implement your white listing idea and place this insanely large white list of IPs in an ACL on my Edge router advertising my AS. You don’t think this router will stop routing when it starts having to check a DDoS traffic flow against this insanely large white list, I do. Most large organizations will tell you the same, that the ACL on the AS edge routers need to be small and to the point to ensure this router continues to route traffic during high traffic times. You don’t want to lose legitimate traffic, as legitimate traffic in most cases is what keeps you in business and pays the bills.

Don’t get me wrong here, I think white listing is a cool concept and that has it’s places, but the public internet is not one of them. Remember we kind of use to do white listing before DNS was used, as we swapped host files so we could connect to the internet, but these files soon grew to an astonishingly large size and were just not affective. DNS was born and we never looked back.

The ideas to enhance Internet security are derived from these two fundamental yet elegant concepts:

1. IP address: The identification of an Internet entity. Every website has an IP address. IP addresses are assigned by Internet Service Providers (ISPs). ISPs obtain allocations of IP addresses from a Local Internet Registry (LIR), or National Internet Registry (NIR), or from their appropriate Regional Internet Registry (RIR) where IP address pool is assigned by the Internet Assigned Numbers Authority (IANA). ISPs use this information together with network topology to build Internet backbone routing tables to ensure all IP addresses are routed correctly and reachable by everyone. Website’s IP address or any IP address on the Internet must be legitimate, routable and reachable. On the Internet, both source and destination IP addresses are needed to establish a session for two-way communication. The source and destination IP address between any two nodes (parties) must be valid and cannot be altered. If the source IP address is altered, then the data will be routed to the altered IP address instead and one-way communication is created. With the altered IP address, data can be sent out, but no data will be received in return. In most cases, this will be considered a denial of service attack. Therefore, website and e-mail services will not work. In addition, most companies do not change their IP address often due to the complexity of updating and testing the Internet backbone routing tables.

In general, an IP addresses have the following properties:

• An IP address is allocated by IANA, RIR, ISP, etc.
• An IP address must be legitimate, routable, and reachable.
• A Websites cannot fake its IP addresses.
• Most Internet traffic consists of two-way communication.
• Most companies do not change their IP address (block).

2. Local White List: A database of trustworthy IP addresses for positive identification, unlike other white lists that check URLs or domain names which change frequently and can be defeated by the perpetrator. This White List is based on IP addresses and only the IP addresses from well-known trustworthy organizations, legitimate financial institutions, etc. will be added. Because websites cannot fake their IP addresses, this White List is more accurate, effective, and resistant to other attacks. Also, because most companies do not change their IP addresses, this White List will remain fairly stable, and easy to maintain.

The White List will have the following features:

• It is based on IP addresses.
• The White List will not change often and will be easy to maintain.
• The user should be able to modify the local White List.

Application of the concepts:

1. Identify Trustworthy Sites and Detect Phishing Websites: Unlike all other phishing detection software, we can positively identify trustworthy websites by comparing website’s IP address against the White List. With these new security concepts, trustworthy websites will be able to safely provide personal information. New or known phishing websites will not be included on the White List and can be instantly detected locally without any delay.

2. Discover Spoofed E-mail: Based on SMTP RFC 2821, the “Received” field in the e-mail header includes the IP address of the sender. This IP address is logged by the receiving mail server. Therefore, the sender cannot alter this IP address. Once the sender IP has been identified, the domain name can be determined from the White List. Comparing the domain name from the White List to the domain name in the “From” field, the non-spoofed e-mail can be identified. By checking the “Received” field, one can determine if an e-mail from financial institution is legitimate.

3. Protect and reveal unauthorized access to an account: When accessing an account, the server can verify if user’s IP address is authorized. In addition, server can log an entry with a timestamp and this client IP address. Then the server sends this information to this client local log file. If there is no unauthorized access, these two log files should be identical. The client log file can be on a USB device when multiple PCs are used to access the account.

4. Secure local systems from malicious attacks (i.e., viruses, worms, etc.): Before establishing a network connection, there must be verification of the following:

• Remote IP address
• Port number
• Payload type

For example, if Microsoft is fully trusted, all traffic on all ports with all payload types will be allowed. For most websites, only ports 80 and 443 are allowed with no executable program. For untrustworthy IP addresses, not on the White List, the user will be warned or denied access for both inbound and outbound traffic.

5. Prevent DoS Attacks: Most DoS attacks have spoofed their source IP address and send mass amounts of requests to one website. The router or switch that the attacker’s machine attaches to can validate the source IP addresses before forwarding to the network (RFC 3704). Since the router/switch nearest the attacker can determine if the source IP address is routable back to the originator, the invalid source IP address message will be discarded. An Edge Router that connects to an AS (autonomous system) can validate the source IP address as well. The router/switch/firewall at server location can also limit the number of requests based on each individual source IP address to help prevent DoS attacks. In addition, a White List with legitimate client’s IP addresses can be used to bypass this restriction so rightful users will not be blocked during DoS attacks.

I have a beta program that demonstrates how to identify trustworthy sites and detect phishing websites. This program is a Firefox web browser extension that checks the current website’s IP address against the local White List. When visiting a website, the user may want to check the legitimacy of this site before entering any personal information. By clicking this extension (button), the user will receive advice on how to proceed. The user can then decide the best course of action.