Firewall Wizards mailing list archives
RE: Lists of IP's we should be blocking
From: "Bruce Smith" <bruce_the_loon () worldonline co za>
Date: Mon, 13 Dec 2004 00:04:07 +0200
Well, I seem to have stirred up a hornet nest here. On a professional level I wouldn't like to cut legitimate clients off. On a personal level I believe that all hackers (in the criminal sense of the word) should be hung from the nearest flagpole, or absenting that, covered in honey and staked over an ant nest. They're like the drivers in South Africa, no respect for anyone else and full speed ahead and damn the consequences. And when they caught, it's blame my upbringing, blame the system for not controlling me, but no admitting they did anything wrong and that they've been a bad boy. Or girl. </rant> :) Maybe we should be running blacklists for networks that do not react to infections or trojans. Maybe we should be cutting users who can't be bothered to patch security holes, or even understand that they're being moronic about their attitudes. Look at the anti-spam open relays, I know how fast I used to react when someone listed our mail servers. Now we patch ahead of time. It's all blame the hacker, blame the writer of the program, blame the insecure operating system or lack of firewalling or whatever. Slashdot carried a article about George Tenet saying that only security-aware people should be allowed access to the global internet and the users. And the slashdotters laid into the civil rights violations and free speech issues and anonymity. I agree Tenet's idea is harsh and a little overbearing, but its about damn time that we took responsibilty for what we do with ourselves. Now here's a plan I've been working on, and partly built in our network. It's a temporary blacklist based on Snort IDS and our PIXes. Working from inside to out, if Snort detects an intrusion on the network, we dynamically throw them into the shun list for five minutes at which point they get opened again. If the machine immediately triggers the same intrusion again, back it goes, this time for ten minutes. It was designed to block off peer-to-peer users from running Kazaa etc, but we've extended to a few other things. So what about this? You take several hundred Snort-based detectors scattered around the Internet, all reporting to a small number of highly secure machines via custom software. These IDS keep a look for a limited number of intrusions and report first and repeat offenses to the central machines. Based on frequency of offenses, number of repeat offenses and severity of the offense, the source of the offense goes into a blacklist and e-mail is sent to the abuse@ address. Use this to put pressure on ISPs to detect and block this sort of thing in the same way, offer them the software solution for free to let them do it. I think that's enough for now. Any more and I'll probably go off the deep end of stick a deny all as the first line rule in my firewall. :) Cheers Bruce -----Original Message----- From: Crispin Cowan [mailto:crispin () immunix com] Sent: 12 December 2004 10:05 PM To: Paul D. Robertson Cc: Adam Shostack; Bruce Smith; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Lists of IP's we should be blocking Paul D. Robertson wrote:
I've been playing a little with a contact Web site[1][2] that "introduces" folks by degrees of separation- I'm wondering if we could whitelist 90% of the Internet that way with some relatively simple mail parsing programs and a web of trust of a couple hundred people on this list?
With the number of viruses that I receive that presumably come from some associate of mine who (a) has me in their address book and (b) is infected, I disbelieve that a white list of people who are vetted to be well-intentioned would be significantly useful. Now, a white list of people who are vetted to be well-intentioned and *not running Windows*, that would be useful :) Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Lists of IP's we should be blocking Bruce Smith (Dec 11)
- Re: Lists of IP's we should be blocking Devdas Bhagat (Dec 12)
- Re: Lists of IP's we should be blocking Crispin Cowan (Dec 12)
- Re: Lists of IP's we should be blocking Adam Shostack (Dec 12)
- Re: Lists of IP's we should be blocking Paul D. Robertson (Dec 12)
- Re: Lists of IP's we should be blocking Crispin Cowan (Dec 12)
- Re: Lists of IP's we should be blocking Paul D. Robertson (Dec 12)
- RE: Lists of IP's we should be blocking Bruce Smith (Dec 12)
- RE: Lists of IP's we should be blocking Mark . Boltz (Dec 12)
- Re: Lists of IP's we should be blocking Adam Shostack (Dec 12)