Paid Advertising
web application security lab

ThreatSTOP Anti-Botnet DNS

I was asked to take a look at ThreatSTOP the other day. Although it’s not very clear from the website after signing up I found out the basics. It’s essentially a lot like OpenDNS. In fact, it’s so much like OpenDNS that I actually confused id when I said what it was because he thought that’s what I was talking about. It’s not exactly like OpenDNS - there are a few differences.

First the similarities. They both rely on DNS to protect consumers (not websites) from contacting “bad” sites. They both require that you use their sites to perform the lookups on your behalf. They also share some of the same negatives - bad guys who use IP addresses are unaffected by this mitigation. It’s always reactionary - meaning it won’t block you from going there until it knows it’s bad. And if you’re paranoid, don’t forget that they both get to see every site you intend to contact.

Now for the differences. It appears that OpenDNS has quite a bit of added customization that you can put in front of it - allowing customized blocklists. OpenDNS also uses a block page, which theoretically could see the actual URLs you are going to (since it takes over the DNS for them - rather than simply blocking the request completely). Lastly, and the most import difference between the two: OpenDNS focuses on Phishing and ThreatSTOP focuses on malware infested websites.

Maybe one of the two companies should just buy the other? Not that I use this kind of stuff, but for those who do, it seems like you’d want to be protected from both threats as a consumer, not just one or the other.

7 Responses to “ThreatSTOP Anti-Botnet DNS”

  1. David Ulevitch Says:

    Actually, I think we’re quite different, complimentary I’m sure though. They seem to have a MAPS style feed but over DNS, versus a recursive DNS solution. They just don’t show people how to forward the threatstop.local zone, so they tell you to use their recursive nameserver. We’d be happy to help them out, if they’d like.

  2. Tom Byrnes Says:

    Tom Byrnes here.
    I’m the CTO of ThreatSTOP.
    Our service is quite a bit different from OpenDNS. OpenDNS works by redirecting DNS queries for sites that they have determined are malicious, a misspelling, or other issue to a google adwords page. It’s a one size fits all solution, and it is very effective, with a simple, effective, revenue model: they get adwords revenue when you click on the links on the redirected pages.
    We work by propagating block lists (actually, block, allow, and QOS prioritization, for our paying customers) as DNS forward lookups. These are then used by firewalls and other network elements in forwarding and blocking rules. Our service is designed to allow customized lists for individual users. Our free service is a one-size fits all, but it is up to the person configuring the firewall to decide what to do with hosts on our lists. You can use our service with, or without, OpenDNS. Our service has the advantage that we DO catch the IP address based hack, since the rules are enforced on an IP address basis.
    Our focus at the moment is mostly on network worm traffic.
    Currently we don’t propagate a Phishing list, but we may in the future. In the meantime, OpenDNS, which is run by Phishtank, is a very good way to block at least some phish (the kind with URLs, not IP addresses).
    As far as forwarding our zones, we chose .local precisely to prevent that. We want to make sure our lists are not subject to cache poisoning, and that the custom lists created by our pay subscribers are not able to be seen by others. Obviously, anyone with a legitimate subscription can set their nameserver to forward requests for threatstop.local to our nameservers, but the public DNS will not recurse that zone. If you want to use our wide-open zones, we are currently propagating our basic service under in order to help stomp out the storm worm.
    Thanks for your interest in ThreatSTOP. To learn more, visit our website.

  3. Tom Byrnes Says:

    One last thing: We don’t work as a proxy. Your traffic never touches our hosts (BTW, nor does your traffic when using OpenDNS, they just answer DNS queries). Your nameserver queries may, if you are using us for full recursion (the simplest configuration, but, as noted above, you can use a per-zone forwarder to only resolve threatstop.local via our servers). You can send us your logs, but that is up to you. If you do, we will tell you what entries were in what lists, and feed your denies to DShield so that the community gains in protection from your information.
    ThreatSTOP is a pull, not a push, service. All the traffic is managed by your own devices. We just keep them updated with threat information.

  4. id Says:

    So you have complimentary services, but they can’t both be used at the same time, is there a solution that combines the best of both?

  5. David Ulevitch Says:

    They can be used at the same time. What’s your architecture?

  6. felosi Says:

    heh, blocklists=wishful thing and a waste of firewall rules. You wouldnt have enough resources to block every shit country and bad range there is.
    Best thing to do is just react. Well, hell any server admin with common sense wouldnt use such crap.

    Sure you are gonna have to ban some /16 and /8 ranges sometimes but if your firewall is loaded with all this blocklist shit thats just gonna make it even harder to manage the attack then ( slow firewall reloading, slower network performance from so many loaded denys).

    I dont know if its just me. I have one machine with 96 ips and the others all have 16 and i try to minimize firewall rules as much as possible while still getting the job done. And Ive tried these blocklists too.

    Only a real noob admin would use something like that in the first place. They must have some serious doubts to their ability to have to block all ips they think are bad or bad countries. I mean do they seriously think that this will make them safe? Or help in any way? Really, be realistic here.

    Anyway, If I offended anyone i apologize, just giving my opionion about these blocklist sites

  7. felosi Says:

    I wrote a short article explaining why these blocklists are highly ineffective and unreasonable.