Re: The Criminal Underground: A Walk on the Dark Side

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 9/4/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Tue, 04 Sep 2007 16:20:15 EDT, Dude VanWinkle said:
>
> > So if we know the IP's of "millions of compromised machines" can we
> > get access to a list of those in order to grey/blacklist them?
>
> We know the IP addresses that some of them *used* to have.  Feel free to
> blacklist the address and see the *current* DHCP leaseholder wonder why
> things are breaking.

If we have a way to detect them, we should be able to tell when they
get a new lease on life, or ipv4.

> And Storm is only *part* of it - remember that's only a few million, out
> of Vint Cerf's estimate of 140 million.
>
> When there's 140 million pwned/spywared/etc boxes out of 600M or so, you
> really can only take 2 stances:

So, according to your theory, we can only blacklist people if we know
everyone who is compromised, else its completely useless? I disagree.
Security is gained by throwing everything you have at the opposing
team, not waiting around for a perfect solution to present itself,
because trust me: you will be waiting a long time. Throw everything
you can at them, even if it only helps against 5%, thats 5 down, 95
more to go...

> 1) Don't care and harden the outward-facing side to take on all comers.
> 2) Start whitelisting only known vetted and known systems.

I am also liking the idea of greylisting. If someone snafu's on an RFC
during SMTP, we dont block them forever, just a few min.

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.