RE: Lists of IP's we should be blocking

["Bruce Smith" <bruce_the_loon () worldonline co za>]

Well, I seem to have stirred up a hornet nest here.

On a professional level I wouldn't like to cut legitimate clients off. On a
personal level I believe that all hackers (in the criminal sense of the
word) should be hung from the nearest flagpole, or absenting that, covered
in honey and staked over an ant nest. They're like the drivers in South
Africa, no respect for anyone else and full speed ahead and damn the
consequences. And when they caught, it's blame my upbringing, blame the
system for not controlling me, but no admitting they did anything wrong and
that they've been a bad boy. Or girl.

</rant> :)

Maybe we should be running blacklists for networks that do not react to
infections or trojans. Maybe we should be cutting users who can't be
bothered to patch security holes, or even understand that they're being
moronic about their attitudes. Look at the anti-spam open relays, I know how
fast I used to react when someone listed our mail servers. Now we patch
ahead of time.

It's all blame the hacker, blame the writer of the program, blame the
insecure operating system or lack of firewalling or whatever. Slashdot
carried a article about George Tenet saying that only security-aware people
should be allowed access to the global internet and the users. And the
slashdotters laid into the civil rights violations and free speech issues
and anonymity. I agree Tenet's idea is harsh and a little overbearing, but
its about damn time that we took responsibilty for what we do with
ourselves.

Now here's a plan I've been working on, and partly built in our network.
It's a temporary blacklist based on Snort IDS and our PIXes. Working from
inside to out, if Snort detects an intrusion on the network, we dynamically
throw them into the shun list for five minutes at which point they get
opened again. If the machine immediately triggers the same intrusion again,
back it goes, this time for ten minutes. It was designed to block off
peer-to-peer users from running Kazaa etc, but we've extended to a few other
things.

So what about this? You take several hundred Snort-based detectors scattered
around the Internet, all reporting to a small number of highly secure
machines via custom software. These IDS keep a look for a limited number of
intrusions and report first and repeat offenses to the central machines.
Based on frequency of offenses, number of repeat offenses and severity of
the offense, the source of the offense goes into a blacklist and e-mail is
sent to the abuse@ address. Use this to put pressure on ISPs to detect and
block this sort of thing in the same way, offer them the software solution
for free to let them do it.

I think that's enough for now. Any more and I'll probably go off the deep
end of stick a deny all as the first line rule in my firewall. :)

Cheers

Bruce



-----Original Message-----
From: Crispin Cowan [mailto:crispin () immunix com] 
Sent: 12 December 2004 10:05 PM
To: Paul D. Robertson
Cc: Adam Shostack; Bruce Smith; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Lists of IP's we should be blocking


Paul D. Robertson wrote:

> I've been playing a little with a contact Web site[1][2] that 
> "introduces" folks by degrees of separation-  I'm wondering if we could 
> whitelist 90% of the Internet that way with some relatively simple mail 
> parsing programs and a web of trust of a couple hundred people on this 
> list?
>  
With the number of viruses that I receive that presumably come from some 
associate of mine who (a) has me in their address book and (b) is 
infected, I disbelieve that a white list of people who are vetted to be 
well-intentioned would be significantly useful.

Now, a white list of people who are vetted to be well-intentioned and 
*not running Windows*, that would be useful :)

Crispin

-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards