Security Incidents mailing list archives
Re: IP Black list?
From: symetrix () SYMETRIX ORG (Michael Damm)
Date: Mon, 15 May 2000 23:23:54 -0700
When I first saw this thread I promised myself I'd keep quiet on it since it really isn't a security issue, but my two cents are burning a hole in my pocket. Idea: We get a lot of sysadmins to run this first off, and if someone say starts scanning for bind and hits port 53 of every IP in a class-c, whoever is the admin there can send something in to the list maintainer (automated?). If two or three independent reports are received for a host, it goes on the list. This makes a lot of sense to me since most scriptkids/spammers/etc. are going to be going big time and scanning class B's, class A's, and TLD's, not just probing random IP's. For every time it receives a complaint its gets say 2.5 hours tacked on to how long its blacklisted, i.e. the more trouble a host/network causes the longer its in time out. Then if a dialup user is on a line, and causing trouble for 2 hours, the longest that IP will be out of service is 12 hours or something. When the entry hits the list, an automated email or something is sent to relevant contact points, then if they don't bounce and the admin cares to do anything about it he can contact the list maintainer and get removed. Overall, I like the idea. Abusers have Distributed Denial of Service, now we have Distributed Response. (</buzzword>) -- mike ---____ / __/ Michael Damm, Independent Security Consultant /__ / Providing cost effective NDA bound outsourcing of security /___/ solutions. Visit www.symetrix.org or call toll free 877.534.6247 ----- Original Message ----- From: "Luff, Darryl" <DLuff () IITSCDM COM AU> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, May 15, 2000 5:03 PM Subject: Re: [INCIDENTS] IP Black list?
Most of the scans I see come from dialup IP addresses. The machine doing
the
scans may only be onlyine for a couple of hours. I think by the time you blacklisted them they're probably offline. How do you un-blacklist them?
Current thread:
- IP blacklists, (continued)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Michael Damm (May 15)
- Re: IP Black list? jms (May 15)
- TCP/IP options flags? Matt Beck (May 16)
- unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
- Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Sniffer files Wozz (May 16)
- Re: Sniffer files Randy Janinda (May 18)
- Re: Sniffer files Robert Graham (May 18)
- Re: IP Black list? Paul L Schmehl (May 16)