Security Incidents mailing list archives

Re: tin.it and others non collaborative isps.

From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Tue, 11 Jul 2000 10:24:22 -0000


Hello Osvaldo,

I believe that blocking ISPs should be a short-term 
defensive step, usually taken if the offending host finds a 
vulnerability on your network.  Blocking MAY give you 
enough time to correct the vulnerability, if you have 24x7 
real time monitoring and can fix the problem before the 
black-hat exploits it.

On another level, blocking in response to any perceived 
malicious activity must be weighed against other factors.  
Determined black-hats laugh at blocking, as they maintain 
multiple compromised hosts as staging points.  Also, one 
can trivially conduct a decoy attack, causing you to block 
traffic from completely innocent sites.

For these reasons and more, I could not support an 
IP "black list."  I do believe sites which advertise "smurf 
amplifying networks" are useful, as their scope is limited 
and the accuracy easily verifiable.

Richard Bejtlich

--

        IMHO it's a good idea if we unite and block ips 
from ISP's like
tin.it. They will collaborate as soon as their clients 
start to complain
that they can't access some address. What about a page that 
contains all
the IPs that we must block and the reasons for that?

--

 Osvaldo Janeri Filho

Current thread:

lifestages on IRC, (continued)
- - lifestages on IRC Omicron N (Jul 09)
    - Re: lifestages on IRC Robert van der Meulen (Jul 10)
    - Re: lifestages on IRC Vincent Hillier (Jul 10)
    - Re: lifestages on IRC T. H. Haymore (Jul 10)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
  - tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
    - Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
    - Some stats of events Henri J. Schlereth (Jul 10)
    - Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
    - Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
    - Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
    - Hostile email mmurray () TAOS COM (Jul 12)
    - I Was rooted Andrew Heath (Jul 17)
    - Obfuscated URL's in spam Kee Hinckley (Jul 18)
    - 85.85.85.85 weirdness Wozz (Jul 18)
    - Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
    - Re: 85.85.85.85 weirdness Wozz (Jul 19)
    - Re: 85.85.85.85 weirdness Jud (Jul 19)
    - msnhome.talkcity.com Dirk Koopman (Jul 21)
    - Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
    - Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)

(Thread continues...)