Security Incidents mailing list archives
Re: IP Black list?
From: sec () ORGONE NEGATION NET (jms)
Date: Sun, 14 May 2000 15:05:49 -0700
Its inevitable that sooner or later, an agency, state run more than likely, will step in and offer real time resolution to attacks taking place. Of course, not long thereafter, we will all need liscences to get on the net. Anything between the above scenarios and now is going to be just as sloppy as what we are doing now; begging our upstreams for resolution. My only suggestion is to pick your upstream carefully in the meantime. If I had known DSLNetworks, my upstream, lacked the technical prowness to setup an ACL, I would never have signed a contract with them. During the last attack from a compromised german host, cerf.net responded within 10 minutes to my first complaint, requesting an email from DSLNetworks authorizing the implimentation of a quick and dirty ACL entry to stop the attack. This would have worked out fine and had a happy ending except for one thing; DSLNetworks response time for the emails I sent during the attack: *ONE WEEK* My point: a responsible upstream precludes the need for a watchdog group usually. My proposal: perhaps it would be a more efficient if we simply started a consumer watchdog group that grades providers on the basis of incident response? Offer a website which lists: incident description, resolutions, comments from provider/client? It could provide insight into not only a providers attitude towards attacks originating from its network, but also attacks on its clients. Lets face it; one client telling a pre IPO upstream that they are terminating service because they suck ass doesnt change much. But one website tar and feathering an upstream for its negligence and receiving tons of hits a day might well make some waves. -jason storm jms () negation net On Mon, 15 May 2000, Ed Padin wrote:
I think it's a great idea! It's a little harder to implement than the SPAM black list. You have to make sure that complaints of an IP address come from a lot more sources and there has to a line drawn as to how much is real crack attempts. The jury is still out on whether port scanning is considered a innocent bahavior. Where do you draw the line? In the case of demon internet, they say that their routers are misbehaving. Maybe they are telling the truth (doubtful, but how do you disprove it.). At the very least, they do respond to complaints unlike the Korean universities.-----Original Message----- From: Stuart Staniford [mailto:stuart () SILICONDEFENSE COM] Sent: Thursday, May 11, 2000 1:56 PM To: INCIDENTS () SECURITYFOCUS COM Subject: IP Black list? I'm curious to know what folks think of the idea of a real-time blacklist for misbehaving IP addresses/blocks. Some reputable person/organization could maintain it, trusted folks known to the co-ordinator could recommend IPs to blockade, and then anyone who chose to could implement the list into router or firewall rules. We could start by putting demon.co.uk into it until they stop spraying the world with bad packets and repeating the same lame excuses for why they still haven't stopped whatever is causing that. It would also be a good place to put Korean Universities and schools, etc that constantly scan us and never respond to complaints. If use of it became widespread, this would tend to exert social pressure on bad parts of IP space to clean up their act. Their users wouldn't be able to get to lots of parts of the Internet until they satisfied the blacklist co-ordinator that the problem was resolved. Thoughts? Stuart. -- Stuart Staniford --- President --- Silicon Defense stuart () silicondefense com (707) 445-4355 (707) 445-4222 (FAX)
Current thread:
- Re: IP Black list? Adam Kirby (May 15)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 15)
- Re: IP Black list? -- NONONONONONONONO!!! Paul L Schmehl (May 16)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 16)
- R: LJK2 rootkit? Andrea Vettori (May 17)
- Lance Spitzner Audio interview on Forensics and Honeypots Alfred Huger (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- Re: IP Black list? -- NONONONONONONONO!!! Paul L Schmehl (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- <Possible follow-ups>
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 15)