Security Incidents mailing list archives
Re: blackholing t-dialin.net? sympatico.ca?
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Thu, 8 Mar 2001 12:12:57 -0500
On Thu, 8 Mar 2001, Robert G. Ferrell wrote: [snip]
what you have effectively accomplished is to elevate the script kiddie from a mere port scanner to the instigator of large scale denial of service attack (depending, of course, on how far upstream you institute the blacklist).
not quite. they can't see me, fine. legit customers and the few bad apples can't see me. i *hope* the legit customers bitch and moan at the ISPs that have dialups blacklisted, inquire why the hell they can't connect to sites and this pressure forces the ISP to start reacting. and reacting in a timely fashion.
This is a difficult issue, admittedly, but my personal belief is that putting up with people rattling the doors in your neighborhood is on the whole preferable to cordoning off the entire block.
take this analogy one step further, this is essentially moving, in some ways, to a gated community, and in others to profiling. i'm not in favor of profiling, and gated communities give me the willies, but i am just wondering if its worth it to start raising the issue, like i described above, and force the ISPs to evaluate their practices. in a nutshell, i've heard two lines here so far: sympatico and t-dialin service HUGE portions of their respective countries (Canada and Germany). i have colleagues in those countries, and i really like Canada (haven't yet been to Germany). however, let's face it: problem areas are problem areas. i don't hesitate to screen dialup SMTP access from uu.net, it's cut down on my spam tremendously. why not go a step further and start blocking the whole dialup ranges of networks that have demonstrated, in my experience, a lack of resolve in responding to reports? while some of you have heard back from t-dialin or sympatico in a timely fashion, i haven't. t-dialin DOESN'T send anything but an autoreply, and sympatico took four months on the last note i sent them. that's not too impresive in my book. getting back to the largeness of those networks, is it that they're just SO huge, and cutting their margins SO thin that they can't afford to go digging up dialin logs on every portscan report? probably. i see this also, here in the US, with ATT's network and Sprint's network, among others. i know many of you do, too. i guess this is the larger question: if i can get/steal/abuse a dialup connection from a large carrier with impunity, what the hell am i doing wearing a white hat in this too often boring job? thanks, i hope my rhetoric isn't (too) inflammatory. i only wanted to start discussing these questions (large ISP's and their reactions, and is it worth it to start blackholing dialup lines). i appreciate the professionalism we've so far maintained, i'm not interested in a flamewar, and i bet none of you are, either. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Current thread:
- blackholing t-dialin.net? sympatico.ca? Jose Nazario (Mar 07)
- Re: blackholing t-dialin.net? sympatico.ca? Daniel R. Warner (Mar 07)
- AW: blackholing t-dialin.net? sympatico.ca? Jens Thiel (Mar 07)
- Re: blackholing t-dialin.net? sympatico.ca? Steffen Dettmer (Mar 09)
- <Possible follow-ups>
- Re: blackholing t-dialin.net? sympatico.ca? Bill Royds (Mar 07)
- Re: blackholing t-dialin.net? sympatico.ca? Robert G. Ferrell (Mar 08)
- Re: blackholing t-dialin.net? sympatico.ca? Jose Nazario (Mar 08)