nanog mailing list archives
Re: Worst Offenders/Active Attackers blacklists
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Tue, 29 Jan 2008 10:02:20 -0500
On Jan 29, 2008, at 9:43 AM, Jim Popovitch wrote:
On Jan 29, 2008 12:58 AM, Patrick W. Gilmore <patrick () ianai net> wrote:A general purpose host or firewall is NOTHING like a mail server.There is no race condition in a mail server, because the server simplywaits until the DNS query is returned. No user is watching the mail queue, if mail is delayed by 1/10 of a second, or even many seconds, nothing happens. Now magine every web page you visit is suddenly paused by 100ms, or 1000ms, or multiple seconds? Imagine that times 100s or 1000s of users. Imagine what your call center would look like the day after you implemented it. (Hint: Something like a smoking crater.) There might be ways around this (e.g. zone transfer / bulk load), but it is still not a good idea. Of course I could be wrong. You shouldn't trust me on this, you should try it in production. Let us know how it works out.Andrew, IIUC, suggested that the default would be to allow while the check was performed.
I read that, but discounted it. There has been more than one single- packet compromise in the past. Not really a good idea to let packets through for a while, _then_ decide to stop them. Kinda closing the bard door after yada yada yada.
Perhaps combine the two? Have a stateful firewall which also checks DNSBLs? I can see why that would be attractive to someone, but still not a good idea. Not to mention no DNSBL operator would let any reasonably sized network query them for every new source address - the load would squash the name servers.
As I mentioned, zone transfer the DNSBL and check against that might add a modicum of usefulness, but still has lots of bad side effects.
Then again, what do I know? Please implement this in production and show me I'm wrong. I smell a huge business opportunity if you can get it to work!
-- TTFN, patrick
Current thread:
- Worst Offenders/Active Attackers blacklists Tomas L. Byrnes (Jan 27)
- Re: Worst Offenders/Active Attackers blacklists Valdis . Kletnieks (Jan 28)
- RE: Worst Offenders/Active Attackers blacklists Jason J. W. Williams (Jan 28)
- Re: Worst Offenders/Active Attackers blacklists Andrew D Kirch (Jan 28)
- Re: Worst Offenders/Active Attackers blacklists Patrick W. Gilmore (Jan 28)
- Re: Worst Offenders/Active Attackers blacklists Jim Popovitch (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Patrick W. Gilmore (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Joel Jaeggli (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Edward B. DREGER (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Andrew D Kirch (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Patrick W. Gilmore (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Edward B. DREGER (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Patrick W. Gilmore (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Edward B. DREGER (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Valdis . Kletnieks (Jan 28)
- RE: Worst Offenders/Active Attackers blacklists Ben Butler (Jan 29)
- Re: Worst Offenders/Active Attackers blacklists Christopher Morrow (Jan 29)