funsec mailing list archives
Re: The Criminal Underground: A Walk on the Dark Side
From: Valdis.Kletnieks () vt edu
Date: Wed, 05 Sep 2007 11:07:50 -0400
On Wed, 05 Sep 2007 08:34:59 EDT, Dude VanWinkle said:
If we have a way to detect them, we should be able to tell when they get a new lease on life, or ipv4.
59.112.229.83 at Aug 17 01:19:39 UTC-0400. Still same IP, or no? Note that this is a *serious* question - it can take 2 weeks for a hacked box to get a new IP, and the *new* owner of that IP then gets mystified why nothing works. 125.1.71.140 at Sep 3 15:59:28. Still same IP, or no? 201.250.52.183 at Sep 4 14:59:26. Is that the same IP still, or no? Let me know if I should blacklist those 3. Then we'll only have 139,999,997 to go.
So, according to your theory, we can only blacklist people if we know everyone who is compromised, else its completely useless? I disagree.
No, I'm saying that it's almost completely useless, because you can't make enough blacklist entries for it to *matter*. How much time and effort are you willing to put in to maintaining this blacklist, and how do you intend to keep it up to date? Remember - each time a legitimate visitor doesn't get to your website because of a false positive, it's at *least* a bad PR event for you, probably a lost customer, and possibly the cost of a tech support call to find out they're a FP (and note that if you're using a 3rd-party blacklist, the fun and games of getting them unlisted can be a problem too). As I said - there's only 2 *sane* ways to approach it anymore: 1) Only allow whitelisted systems - we have a *lot* of boxes that we only allow access to AS1312 systems, or specific subnets thereof. Works great, and the subnets move a lot less than botted systems. 2) Harden your systems against all comers - the broken idea of a blacklist is that even if you manage to properly list 25% of the boxes, you're now doing twice the work: 2a) You're maintaining a 20M to 30M entry blacklist, and keeping it up to date. 2b) You're *still* having to defend against the *OTHER* 75%. Would you even *consider* buying a security system for your house, if you knew *beforehand* that it would (a) only stop 25% of the burglars, (b) you had to spend 15 to 20 minutes *every* day fixing it, and (c) 20% of the time, it would randomly refuse to let invited guests in?
Security is gained by throwing everything you have at the opposing team, not waiting around for a perfect solution to present itself,
I'm not looking for a perfect solution. I'm looking for one that has a decent return on the time/resources invested.
because trust me: you will be waiting a long time. Throw everything you can at them, even if it only helps against 5%, thats 5 down, 95 more to go...
The benefit of lowering it from N to N*0.95 needs to outweigh the costs of the care and feeding of said beast.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)
- <Possible follow-ups>
- Re: The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- High Concept Comedy: Security is Economic! Bruce Ediger (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Jim Murray (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)