Re: IP Black list?

[jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)]

On Mon, 15 May 2000, Travis Pugh wrote:

> Stuart:  I think this is a particularly dangerous idea, both politically
> and from a technical standpoint.  It just turns into a game of
> brinksmanship.

agreed. the best thing to do seems to be an open forum of discussion about
incidents, sources and type of incidents. provide as much info as
possible, and let others safeguard their networks as they see fit.

example: recently, a well known machine was involved in ongoing security
incidents around the world for about two months. it was reported to two of
the main outlets for incident discussions, several sites communicated
openly and privately about the incidents and how it was being handled, and
chose to handle it as they saw fit.

a single portscan that is unverified as to the true source (nmap -D
anyone?) isn't worth RBLing a domain over. but a domain that has shown to
be unresponsive or otherwise uninterested in fixing well established
security problems should be blacklisted at peoples' choice.

keep the discussions open and reasonable, that's our best defense in the
absence of packet layer authentication (ie IPsec). now if only more sites
would openly discuss security incidents, we'd have more data to go on.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc