Re: Lists of IP's we should be blocking

[Kevin <kkadow () gmail com>]

On Wed, 8 Dec 2004 15:20:57 +0200, Bruce Smith
<bruce_the_loon () worldonline co za> wrote:
> Is there a list of dangerous, evil IP's that should be blocked or at least
> watched closely at the borders of the Internet?

No.

There are a number of special purpose DNSBL and IP blacklists, but the
primary reason there is no one universal block list is, who can we
trust to build and maintain such a list?

Obviously any "edge" gateway should be have rules to only permit out
packets showing a legitimate routable internal source (anti-spoofing
egress filters aka URPF), and there is no reason not to block outbound
traffic showing a destination address of your internal network,
RFC-1918 address space, or bogons (unallocated IP space, see here for
details: http://www.cymru.com/Bogons/)


> Address like virus targets, root-kit sources and so forth.

This gets tricky, since these tend to move around, and can be innocent
bystanders or otherwise legitimate hosts.


> And what is the group's opinion on the idea of a general purpose dark IP list?

There are legitimate lists of addresses which are not valid on the Internet:
    http://bgphints.ruud.org/articles/bogons.html
    http://www.nanog.org/mtg-0410/pdf/soricelli.pdf

These lists are effective because the contents change only very slowly
(but bear in mind the "69/8" address block problems), and reflect a
legitimate technical distinction between "valid" and "invalid"
addresses.  When you start getting into labeling individual hosts and
network as "good" and "evil", things can get very messy very quickly.

Kevin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards