Methods of Prevention

Now that a payload has been defined that is capable of bypassing standard outbound filters, the next step is to determine potential solutions in order to assist in the prevention of such techniques. Though efforts can be made elsewhere to prevent exploitation in the first place, it is still prudent to attempt to analyze approaches that could be taken to prevent a payload like the one described in this document from being used in a real world scenario. The primary concern when implementing a prevention mechanism, however, is that it must not also prevent normal user traffic from working as expected and should also be robust enough to catch future mutations of the same technique. A failure to succeed on either of these points is an indication that the prevention method is not entirely viable or sound. With that in mind, two potential methods of prevention will be described in this chapter, though neither of them should be seen as complete method of prevention. The key point again is that as long as it's possible for a user to communicate with the internet, so too will it be possible for an attacker to simulate traffic that looks as if it's coming from a user.

• Heuristic based filtering
• Improving application-based filters