Re: IP Black list?

[berubes () DISCREET COM (Sebastien Berube)]

Travis is totally right, but even worse, could you immagine what one could
do with a simple port scanner that does spoofing?  With such a simple
tool, you could block ANY IP address and/or netblock on the internet for
all real-time black-hole list subscriber.  That's scary!  There's no easy
solution.  The RBL has the most sensible solution.  Nominations are an
excellent way to go.  If the person being attacked tries to inform the
attacker they will be black listed, and the attacker doesn't respond, then
he deservs to be put on a black list.  And still this solution is not
perfect...

On Mon, 15 May 2000, Travis Pugh wrote:

> Stuart:  I think this is a particularly dangerous idea, both politically
> and from a technical standpoint.  It just turns into a game of
> brinksmanship.
>
> For example, there's a little ISP called PilotNet, who claims to offer
> "secure" internet services.  As part of the package, they tied their IDS
> to their border routers, and blackhole addresses and blocks if they see
> port scans or other questionable behavior.  Sadly, this has led to an
> operational behavior, which all blackholes gravitate toward (sorry*), of
> shooting first and asking questions later.  My experience with the company
> is that a single port scan from one of our shell users was enough for them
> to blackhole the entire subnet, without ever contacting our security
> department or sending an email.
>
> When someone blackholes an address or netblock, they DoS their users,
> too.  This might be an acceptable level of risk for a corporation, but
> ISPs could never get away with it.
>
> The other issue I see is the same one that has popped up with MAPS and
> other spam blackholes.  The "reputable person/organization" and "trusted
> folks" are chosen based on some people's opinions of them, and many others
> might not agree.  This leads to blackholing based on bias or political
> disagreement ... not a good thing.
>
> Of course, I have my own biases.  I'm a network engineer ... global
> reachability is more important to me than removing annoying traffic.
>
> Thanks.
>
> Travis Pugh
> Shore.Net
>
> On Thu, 11 May 2000, Stuart Staniford wrote:
>
> > I'm curious to know what folks think of the idea of a real-time blacklist
> > for misbehaving IP addresses/blocks.  Some reputable person/organization
> > could maintain it, trusted folks known to the co-ordinator could recommend
> > IPs to blockade, and then anyone who chose to could implement the list into
> > router or firewall rules.
> >
> > We could start by putting demon.co.uk into it until they stop spraying the
> > world with bad packets and repeating the same lame excuses for why they
> > still haven't stopped whatever is causing that.  It would also be a good
> > place to put Korean Universities and schools, etc that constantly scan us
> > and never respond to complaints.  If use of it became widespread, this
> > would tend to exert social pressure on bad parts of IP space to clean up
> > their act.  Their users wouldn't be able to get to lots of parts of the
> > Internet until they satisfied the blacklist co-ordinator that the problem
> > was resolved.
> >
> > Thoughts?
> >
> > Stuart.
> >
> > --
> > Stuart Staniford  ---  President  ---  Silicon Defense
> >                    stuart () silicondefense com
> > (707) 445-4355                     (707) 445-4222 (FAX)

--
Sebastien Berube
sebastien.berube () discreet com
Discreet Logic
Tel: (514) 954-7147