Security Incidents mailing list archives

Re: IP Black list?

From: joey () SILICONDEFENSE COM (Joe McAlerney)
Date: Tue, 16 May 2000 14:26:26 -0700


All valid points, and in an _extreme_ case, where IP's are blocked on a per
incident basis for "x" amount of time, this could be quite catastrophic.
It could potentially make distributed DoSing a much easier thing to do.

However, sending incident notifications to abuse@some_network is often as
useful as sending it to /dev/null.  This may be acceptable one, two, or
even three times, but failure to address the problem in a "reasonable"
amount of time is unacceptable.  When it is determined that our, or our
client's network may be at risk, I would not hesitate to vote for the
simplest solution, and (temporarily) cease relations with that network.
The same would be done for an attack in progress, why not insure that it
never actually happens?

-Joe M.

Elliot Perrin wrote:

How about IP spoofing, TCP/IP hijacking?

Let's say you get someone who doesn't like a specific business,
hacks them, and initiates scans from their networks.

Legitimate business with a disgruntled former employee......
How can guarantee that only the "bad hosts" or the "bad networks"
will be blocked?

_______________________
Elliott Perin
eperrin () metroland com


I don't think it's a very wise idea to do this.
First think of al the dynamic ip's there are with ISP'S.

Blocking them

will hurt "good" users also. And also how do you classify a

bad host ?

A host that is just performing a port scan, DoSsing the

server, .... ?


I have the same feeling against this as i have against the DUL-list
(http://maps.vix.com/dul/). It is gonna hurt users who are just
normally using the internet and not doing anything bad.

cu,

Patrick

P.S I appologise for any bad English. English is not my native
language.


Certainly there would be an uproar among the blocked
customers of the ISP,
but who would hear about it?..  The ISP.  In the end, the
only way the ISP
will survive will be to fix the problem.  This may involve
implementing a
stricter user policy, dealing with incidents reasonably, or
fixing router
misconfigurations.

A push from the inside will help to settle things much
faster.  Once that
is done, take 'em off the list.  Everyone benefits from the
end results.
We are safer, the ISP has less incidents to hear about and
deal with, and
the ISP customers continue on their merry way.

-Joe M.

Current thread:

Re: IP Black list?, (continued)
- - - Re: IP Black list? jms (May 15)
    - TCP/IP options flags? Matt Beck (May 16)
    - unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
    - Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Re: IP Black list? Volker Werth [VWSoft] (May 16)
- Re: IP Black list? Elliot Perrin (May 16)
  - Sniffer files Wozz (May 16)
    - Re: Sniffer files Randy Janinda (May 18)
    - Re: Sniffer files Robert Graham (May 18)
  - Re: IP Black list? Paul L Schmehl (May 16)
  - Re: IP Black list? Joe McAlerney (May 16)
- Re: IP Black list? Robert G. Ferrell (May 16)
- Re: IP Black list? Tarkington, William (W.) (May 16)
- Re: IP Black list? Elliot Perrin (May 17)