Security Incidents mailing list archives

Re: IP Black list?

From: xm () GEEKMAFIA DYNIP COM (Ex Machina)
Date: Mon, 15 May 2000 19:37:01 -0400


This would be nothing but a false sense of security. Sure this could be
used to block icmp type stuff from known smurf amplifiers, but to block
people like this is NOT security. Firewalls are not magic bullets.

The correct behavior is to block bad traffic and not bad networks. Perhaps
a generic set of blatent misbehavior rules could be maintained. I'd put my
seal of approval on that.

However, let me make a point about magic bullet solutions to network
security:

Limiting certain (vulnerable/weak) services to trusted hosts is not
secure. Running (secure/authenticated/encrypted) services is --
especially with trusted hosts as another measure of security.

Restricting network traffic by excluding "naughty" data is not
secure. Running securely (configured/patched/managed) (operating
systems/daemons) is secure. Excluding nasty packets is also helpful
though.

Networks are going to get hammered on by countless different hosts... some
new, some old. If your machines can't handle it, they shouldn't be
networked.

Ex Machina (xm () geekmafia dynip com)    http://geekmafia.dynip.com/~xm/
phone:  1-877-LPT-WHIP         icq:  3387005           aim:  ExMachina
GnuPG Keyprint:     0627 C3A8 DE25 F7FB 46BD  4870 2006 CF7F EBDA 949D

On Thu, 11 May 2000, Stuart Staniford wrote:

Date: Thu, 11 May 2000 10:55:32 -0700
From: Stuart Staniford <stuart () SILICONDEFENSE COM>
To: INCIDENTS () SECURITYFOCUS COM
Subject: IP Black list?

I'm curious to know what folks think of the idea of a real-time blacklist
for misbehaving IP addresses/blocks.  Some reputable person/organization
could maintain it, trusted folks known to the co-ordinator could recommend
IPs to blockade, and then anyone who chose to could implement the list into
router or firewall rules.

We could start by putting demon.co.uk into it until they stop spraying the
world with bad packets and repeating the same lame excuses for why they
still haven't stopped whatever is causing that.  It would also be a good
place to put Korean Universities and schools, etc that constantly scan us
and never respond to complaints.  If use of it became widespread, this
would tend to exert social pressure on bad parts of IP space to clean up
their act.  Their users wouldn't be able to get to lots of parts of the
Internet until they satisfied the blacklist co-ordinator that the problem
was resolved.

Thoughts?

Stuart.

--
Stuart Staniford  ---  President  ---  Silicon Defense
                   stuart () silicondefense com
(707) 445-4355                     (707) 445-4222 (FAX)

Current thread:

Re: IP Black list?, (continued)
- - - Re: IP Black list? Travis Pugh (May 16)
    - Re: IP Black list? Sebastien Berube (May 15)
    - Odd scans of tcp port 12345 Russell Fulton (May 15)
    - Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
    - New or Variant Port 109 Scans Stephen P. Berry (May 15)
    - Re: IP Black list? Patrick van Zweden (May 15)
    - TCP low port scan Jose Nazario (May 15)
    - Re: IP Black list? Joe McAlerney (May 15)
    - Re: IP Black list? Omachonu Ogali (May 15)
    - Re: IP Black list? Emre (May 15)
    - Re: IP Black list? Ex Machina (May 15)
    - Re: IP Black list? Keith Owens (May 16)
- Re: Automated, Distributed Port Scan Ed Padin (May 09)
- Re: Automated, Distributed Port Scan Antonio Montes (May 10)