Security Incidents mailing list archives
Re: IP Black list?
From: tpugh () SHORE NET (Travis Pugh)
Date: Tue, 16 May 2000 06:24:56 -0400
Perhaps you're reading too much into what I wrote. MAPS gets people into political brawls. An IP blackhole would too, except that it would have the side effect of allowing me to spoof an nmap and blow someone I don't like arbitrarily off the net. -travis On Mon, 15 May 2000, Paul L Schmehl wrote:
Since when did ISPs not have the right to blackhole any netblock they want? Customers are free to go elsewhere if they don't like the results, but the ISP can do whatever it wants. The market will decide whether their blackholing is commercially viable. I'm a network engineer too, and global reachability is the *least* of my concerns. We use MAPS and are *very* happy with the amount of traffic our users don't have to deal with - the sex scams, the pyramid scheme scams, the get-rich-quick scams, etc., etc., etc. We *will* create a specific exception for a site someone really needs to get mail from, but not until they have at least attempted to resolve the problem on the other end. I doubt our network will *ever* be reachable by every other network in the world. Some of them don't deserve to connect to us, because they refuse to fix their broken mail servers and they refuse to deal with their abusive users. --On Monday, May 15, 2000 7:29 AM -0400 Travis Pugh <tpugh () SHORE NET> wrote:Stuart: I think this is a particularly dangerous idea, both politically and from a technical standpoint. It just turns into a game of brinksmanship. For example, there's a little ISP called PilotNet, who claims to offer "secure" internet services. As part of the package, they tied their IDS to their border routers, and blackhole addresses and blocks if they see port scans or other questionable behavior. Sadly, this has led to an operational behavior, which all blackholes gravitate toward (sorry*), of shooting first and asking questions later. My experience with the company is that a single port scan from one of our shell users was enough for them to blackhole the entire subnet, without ever contacting our security department or sending an email. When someone blackholes an address or netblock, they DoS their users, too. This might be an acceptable level of risk for a corporation, but ISPs could never get away with it. The other issue I see is the same one that has popped up with MAPS and other spam blackholes. The "reputable person/organization" and "trusted folks" are chosen based on some people's opinions of them, and many others might not agree. This leads to blackholing based on bias or political disagreement ... not a good thing. Of course, I have my own biases. I'm a network engineer ... global reachability is more important to me than removing annoying traffic. Thanks. Travis Pugh Shore.Net On Thu, 11 May 2000, Stuart Staniford wrote:I'm curious to know what folks think of the idea of a real-time blacklist for misbehaving IP addresses/blocks. Some reputable person/organization could maintain it, trusted folks known to the co-ordinator could recommend IPs to blockade, and then anyone who chose to could implement the list into router or firewall rules. We could start by putting demon.co.uk into it until they stop spraying the world with bad packets and repeating the same lame excuses for why they still haven't stopped whatever is causing that. It would also be a good place to put Korean Universities and schools, etc that constantly scan us and never respond to complaints. If use of it became widespread, this would tend to exert social pressure on bad parts of IP space to clean up their act. Their users wouldn't be able to get to lots of parts of the Internet until they satisfied the blacklist co-ordinator that the problem was resolved. Thoughts? Stuart. -- Stuart Staniford --- President --- Silicon Defense stuart () silicondefense com (707) 445-4355 (707) 445-4222 (FAX)Paul L. Schmehl, pauls () utdallas edu Technical Support Services Manager The University of Texas at Dallas
Current thread:
- Automated, Distributed Port Scan E. Larry Lidz (May 08)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: Automated, Distributed Port Scan Jose Nazario (May 10)
- IP Black list? Stuart Staniford (May 11)
- Re: IP Black list? Travis Pugh (May 15)
- Re: IP Black list? Jose Nazario (May 15)
- Re: IP Black list? Paul L Schmehl (May 15)
- Re: IP Black list? Travis Pugh (May 16)
- Re: IP Black list? Sebastien Berube (May 15)
- Odd scans of tcp port 12345 Russell Fulton (May 15)
- Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
- New or Variant Port 109 Scans Stephen P. Berry (May 15)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: IP Black list? Patrick van Zweden (May 15)
- TCP low port scan Jose Nazario (May 15)
- Re: IP Black list? Joe McAlerney (May 15)
- Re: IP Black list? Omachonu Ogali (May 15)
- Re: IP Black list? Emre (May 15)
- Re: IP Black list? Ex Machina (May 15)