Security Incidents mailing list archives
Re: IP Black list?
From: sec () ORGONE NEGATION NET (jms)
Date: Mon, 15 May 2000 13:55:35 -0700
i dont think this wouldnt work. this is a great recipe to drop someone off the map via spoofed traffic. besides, if the traffic isnt spoofed, its probably a compromised host. block it on your firewall, notify the appropriate people, move on is my best advice. this whole blackhole thing seems to be turning into a method of administering punative damage, which would be a valid course of action against a hostile host. but i guarantee you that if you implimented something like this, people would be abusing it to get innocent hosts blackholed long before the first valid attacker got blackholed. -jason storm jms () negation net On Mon, 15 May 2000, Michael Damm wrote:
Idea: We get a lot of sysadmins to run this first off, and if someone say starts scanning for bind and hits port 53 of every IP in a class-c, whoever is the admin there can send something in to the list maintainer (automated?). If two or three independent reports are received for a host, it goes on the list. This makes a lot of sense to me since most scriptkids/spammers/etc. are going to be going big time and scanning class B's, class A's, and TLD's, not just probing random IP's. For every time it receives a complaint its gets say 2.5 hours tacked on to how long its blacklisted, i.e. the more trouble a host/network causes the longer its in time out. Then if a dialup user is on a line, and causing trouble for 2 hours, the longest that IP will be out of service is 12 hours or something. When the entry hits the list, an automated email or something is sent to relevant contact points, then if they don't bounce and the admin cares to do anything about it he can contact the list maintainer and get removed. Overall, I like the idea. Abusers have Distributed Denial of Service, now we have Distributed Response. (</buzzword>) -- mike ---____ / __/ Michael Damm, Independent Security Consultant /__ / Providing cost effective NDA bound outsourcing of security /___/ solutions. Visit www.symetrix.org or call toll free 877.534.6247 ----- Original Message ----- From: "Luff, Darryl" <DLuff () IITSCDM COM AU> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, May 15, 2000 5:03 PM Subject: Re: [INCIDENTS] IP Black list?Most of the scans I see come from dialup IP addresses. The machine doingthescans may only be onlyine for a couple of hours. I think by the time you blacklisted them they're probably offline. How do you un-blacklist them?
Current thread:
- Re: LJK2 rootkit?, (continued)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Michael Damm (May 15)
- Re: IP Black list? jms (May 15)
- TCP/IP options flags? Matt Beck (May 16)
- unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
- Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Sniffer files Wozz (May 16)
- Re: Sniffer files Randy Janinda (May 18)
- Re: Sniffer files Robert Graham (May 18)
- Re: IP Black list? Paul L Schmehl (May 16)
- Re: IP Black list? Joe McAlerney (May 16)