Security Incidents mailing list archives

Re: IP Black list?

From: emre () TITANIUM 2Y NET (Emre)
Date: Mon, 15 May 2000 17:46:49 -0500


On 11-May-00 Stuart Staniford wrote:

I'm curious to know what folks think of the idea of a real-time blacklist
for misbehaving IP addresses/blocks.  Some reputable person/organization
could maintain it, trusted folks known to the co-ordinator could recommend


That's a good idea, but what would be the purpose of this?  Do you think the
scans/floods would stop if they see themselves on the list?  It would be a good
advantage for network managers - they could configure their firewalls to deny
those hosts' connections.  Kinda like the anti-spam features in postfix...

We could start by putting demon.co.uk into it until they stop spraying the
world with bad packets and repeating the same lame excuses for why they
still haven't stopped whatever is causing that.  It would also be a good
place to put Korean Universities and schools, etc that constantly scan us
and never respond to complaints.  If use of it became widespread, this
would tend to exert social pressure on bad parts of IP space to clean up
their act.  Their users wouldn't be able to get to lots of parts of the
Internet until they satisfied the blacklist co-ordinator that the problem
was resolved.

Thoughts?


I think that is unfair to those who are on, let's say *.demon.co.uk and are
obeying the rules.  And what the ac.kr hosts are concerned...I don't think they
even know what the heck is going on.  That is one reason why their SunOS boxes
get compromised so often and they don't seem to know how to deal with this (or
perhaps they aren't aware of it?).

I think maintaining a list would be a great idea, but who would be the
person/organization to maintain it?  This might sound extreme, but if it was a
private company who maintains the list, it could use it for their own
money-gaining purposes (ie put competitors on the list, to make them look bad
or something)...

Cheers,

--
DSS/DH cryptographic KeyID: 0x69C2B37B (PGP5) | http://ozone.dhs.org
Key fingerprint =  4FAF 6F70 B407 08AE 86EF AC0E 130E 932C 69C2 B37B
System Uptime:  up 94 days, 15:10, load average: 0.10 0.11 0.08

Current thread:

Re: IP Black list?, (continued)
- - - Re: IP Black list? Paul L Schmehl (May 15)
    - Re: IP Black list? Travis Pugh (May 16)
    - Re: IP Black list? Sebastien Berube (May 15)
    - Odd scans of tcp port 12345 Russell Fulton (May 15)
    - Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
    - New or Variant Port 109 Scans Stephen P. Berry (May 15)
    - Re: IP Black list? Patrick van Zweden (May 15)
    - TCP low port scan Jose Nazario (May 15)
    - Re: IP Black list? Joe McAlerney (May 15)
    - Re: IP Black list? Omachonu Ogali (May 15)
    - Re: IP Black list? Emre (May 15)
    - Re: IP Black list? Ex Machina (May 15)
    - Re: IP Black list? Keith Owens (May 16)
- Re: Automated, Distributed Port Scan Ed Padin (May 09)
- Re: Automated, Distributed Port Scan Antonio Montes (May 10)