funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Criminal Underground: A Walk on the Dark Side

From: Valdis.Kletnieks () vt edu
Date: Wed, 05 Sep 2007 11:07:50 -0400
On Wed, 05 Sep 2007 08:34:59 EDT, Dude VanWinkle said:


If we have a way to detect them, we should be able to tell when they
get a new lease on life, or ipv4.


59.112.229.83 at Aug 17 01:19:39 UTC-0400.  Still same IP, or no?  Note that
this is a *serious* question - it can take 2 weeks for a hacked box to get a
new IP, and the *new* owner of that IP then gets mystified why nothing works.

125.1.71.140 at Sep  3 15:59:28. Still same IP, or no?

201.250.52.183 at Sep  4 14:59:26.  Is that the same IP still, or no?

Let me know if I should blacklist those 3.  Then we'll only have 139,999,997
to go.


So, according to your theory, we can only blacklist people if we know
everyone who is compromised, else its completely useless? I disagree.


No, I'm saying that it's almost completely useless, because you can't make
enough blacklist entries for it to *matter*.  How much time and effort are
you willing to put in to maintaining this blacklist, and how do you intend
to keep it up to date?  Remember - each time a legitimate visitor doesn't
get to your website because of a false positive, it's at *least* a bad PR
event for you, probably a lost customer, and possibly the cost of a tech
support call to find out they're a FP (and note that if you're using a
3rd-party blacklist, the fun and games of getting them unlisted can be
a problem too).

As I said - there's only 2 *sane* ways to approach it anymore:

1) Only allow whitelisted systems - we have a *lot* of boxes that we only
allow access to AS1312 systems, or specific subnets thereof.  Works great, and
the subnets move a lot less than botted systems.

2) Harden your systems against all comers - the broken idea of a blacklist is
that even if you manage to properly list 25% of the boxes, you're now doing
twice the work:

2a) You're maintaining a 20M to 30M entry blacklist, and keeping it up to date.
2b) You're *still* having to defend against the *OTHER* 75%.

Would you even *consider* buying a security system for your house, if you knew
*beforehand* that it would (a) only stop 25% of the burglars, (b) you had to
spend 15 to 20 minutes *every* day fixing it, and (c) 20% of the time, it would
randomly refuse to let invited guests in?


Security is gained by throwing everything you have at the opposing
team, not waiting around for a perfect solution to present itself,


I'm not looking for a perfect solution.  I'm looking for one that has a
decent return on the time/resources invested.


because trust me: you will be waiting a long time. Throw everything
you can at them, even if it only helps against 5%, thats 5 down, 95
more to go...


The benefit of lowering it from N to N*0.95 needs to outweigh the costs of
the care and feeding of said beast.

Attachment: _bin
Description: 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: