Re: IP Black list?

[sec () ORGONE NEGATION NET (jms)]

Its inevitable that sooner or later, an agency, state run more than
likely, will step in and offer real time resolution to attacks taking
place.

Of course, not long thereafter, we will all need liscences to get on the
net.

Anything between the above scenarios and now is going to be just as sloppy
as what we are doing now; begging our upstreams for resolution.

My only suggestion is to pick your upstream carefully in the meantime.

If I had known DSLNetworks, my upstream, lacked the technical prowness to
setup an ACL, I would never have signed a contract with them.  During the
last attack from a compromised german host, cerf.net responded within 10
minutes to my first complaint, requesting an email from DSLNetworks
authorizing the implimentation of a quick and dirty ACL entry to stop the
attack.

This would have worked out fine and had a happy ending except for one thing;

DSLNetworks response time for the emails I sent during the attack:

*ONE WEEK*

My point:  a responsible upstream precludes the need for a watchdog group
usually.

My proposal: perhaps it would be a more efficient if we simply started a
consumer watchdog group that grades providers on the basis of incident
response?  Offer a website which lists:  incident description,
resolutions, comments from provider/client?

It could provide insight into not only a providers attitude towards
attacks originating from its network, but also attacks on its clients.

Lets face it; one client telling a pre IPO upstream that they are
terminating service because they suck ass doesnt change much.

But one website tar and feathering an upstream for its negligence and
receiving tons of hits a day might well make some waves.

-jason storm
 jms () negation net

On Mon, 15 May 2000, Ed Padin wrote:

> I think it's a great idea! It's a little harder to implement than the SPAM
> black list. You have to make sure that complaints of an IP address come from
> a lot more sources and there has to a line drawn as to how much is real
> crack attempts. The jury is still out on whether port scanning is considered
> a innocent bahavior. Where do you draw the line? In the case of demon
> internet, they say that their routers are misbehaving. Maybe they are
> telling the truth (doubtful, but how do you disprove it.). At the very
> least, they do respond to complaints unlike the Korean universities.
>
>
>
> > -----Original Message-----
> > From: Stuart Staniford [mailto:stuart () SILICONDEFENSE COM]
> > Sent: Thursday, May 11, 2000 1:56 PM
> > To: INCIDENTS () SECURITYFOCUS COM
> > Subject: IP Black list?
> >
> >
> > I'm curious to know what folks think of the idea of a
> > real-time blacklist
> > for misbehaving IP addresses/blocks.  Some reputable
> > person/organization
> > could maintain it, trusted folks known to the co-ordinator
> > could recommend
> > IPs to blockade, and then anyone who chose to could implement
> > the list into
> > router or firewall rules.
> >
> > We could start by putting demon.co.uk into it until they stop
> > spraying the
> > world with bad packets and repeating the same lame excuses for why they
> > still haven't stopped whatever is causing that.  It would also
> > be a good
> > place to put Korean Universities and schools, etc that
> > constantly scan us
> > and never respond to complaints.  If use of it became widespread, this
> > would tend to exert social pressure on bad parts of IP space
> > to clean up
> > their act.  Their users wouldn't be able to get to lots of parts of the
> > Internet until they satisfied the blacklist co-ordinator that
> > the problem
> > was resolved.
> >
> > Thoughts?
> >
> > Stuart.
> >
> > --
> > Stuart Staniford  ---  President  ---  Silicon Defense
> >                   stuart () silicondefense com
> > (707) 445-4355                     (707) 445-4222 (FAX)