Security Incidents mailing list archives

IP Black list - GET REAL

From: roelof () SENSEPOST COM (Roelof Temmingh)
Date: Tue, 16 May 2000 01:05:49 +0200


IP Blacklisting on the Internet? (die IK hier is duidelik kamertempratuur)

Blocking IP blocks is like giving a flu patient an aspirin - you are not
treating the cause. Good security pratices and proper user eduacation will go
much further in solving the problem.

If you design an access control system, do you enforce the control at the
client? No - you do it at the server. Same thing here.

If you config a firewall, do you firewall at all the client sites? No - you
firewall the server. Same thing here.

If you block IPs, do you do it at the source? No - you block it at the
destination. Take a guess...same thing here.

The system will never be effective. I am thinking about web proxies,
anonymizers, anonymous shell servers, cybercafes. Are you going to block the
source of all the bad guys on the Internet? Wake up.. How do you handle dynamic
allocated IPs to dialin users? Block the whole of the ISP? DHCP allocated IPs
to corporations? Block the whole corporation? What about entire corporations
behind a NAT firewall? One IP number represents 15000 users. Are you prepared
to pull the plug on 1000s of innocent Internet users? Can you spell revolution?

What about if I spoof a DDoS attack from YOUR IP to the NSA? You would not like
that now, would you?

Who decides who goes on and off the blacklist? Hmmm...today, information =
money. Control information and you control money. And money makes the world go
around...(or so they say)

It will never be close to 100% effective. The time and money spent to keep such
a thing in place and running smoothly will not be worth the effort. Can you
spell long-and-expensive-court-cases? It will cause a revolution, and will
create a body that will have complete control on what runs on the Internet's
wires...and we don't want that, do we? DO WE?!?

So - kill this thread - it is going nowhere fast.

Regards,
Roelof.

PS: sorry if all of this sounds harsh - yes, I am indeed having a bad day.

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com         +27 83 448 6996
                http://www.sensepost.com

Current thread:

Re: IP Black list? Adam Kirby (May 15)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 15)
  - Re: IP Black list? -- NONONONONONONONO!!! Paul L Schmehl (May 16)
    - Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 16)
    - R: LJK2 rootkit? Andrea Vettori (May 17)
    - Lance Spitzner Audio interview on Forensics and Honeypots Alfred Huger (May 17)
  - Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- <Possible follow-ups>
- Re: IP Black list? Ed Padin (May 15)
  - Re: IP Black list? jms (May 14)
    - Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
  - You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? Mike Shannon (May 15)
  - LJK2 rootkit? Felix Schueren (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 16)
    - IP blacklists phi-incident () EXORSUS NET (May 16)
    - Re: LJK2 rootkit? Omachonu Ogali (May 16)

(Thread continues...)