Re: IP Black list?

[symetrix () SYMETRIX ORG (Michael Damm)]

When I first saw this thread I promised myself I'd keep quiet on it since it
really isn't a security issue, but my two cents are burning a hole in my
pocket.

Idea: We get a lot of sysadmins to run this first off, and if someone say
starts scanning for bind and hits port 53 of every IP in a class-c, whoever
is the admin there can send something in to the list maintainer
(automated?). If two or three independent reports are received for a host,
it goes on the list. This makes a lot of sense to me since most
scriptkids/spammers/etc. are going to be going big time and scanning class
B's, class A's, and TLD's, not just probing random IP's.

For every time it receives a complaint its gets say 2.5 hours tacked on to
how long its blacklisted, i.e. the more trouble a host/network causes the
longer its in time out. Then if a dialup user is on a line, and causing
trouble for 2 hours, the longest that IP will be out of service is 12 hours
or something. When the entry hits the list, an automated email or something
is sent to relevant contact points, then if they don't bounce and the admin
cares to do anything about it he can contact the list maintainer and get
removed.

Overall, I like the idea. Abusers have Distributed Denial of Service, now we
have Distributed Response. (</buzzword>)

  -- mike

---____
  / __/ Michael Damm, Independent Security Consultant
 /__ /  Providing cost effective NDA bound outsourcing of security
/___/   solutions. Visit www.symetrix.org or call toll free 877.534.6247

----- Original Message -----
From: "Luff, Darryl" <DLuff () IITSCDM COM AU>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, May 15, 2000 5:03 PM
Subject: Re: [INCIDENTS] IP Black list?

> Most of the scans I see come from dialup IP addresses. The machine doing
the
> scans may only be onlyine for a couple of hours. I think by the time you
> blacklisted them they're probably offline. How do you un-blacklist them?