Security Incidents mailing list archives

Re: IP Black list?

From: sec () ORGONE NEGATION NET (jms)
Date: Mon, 15 May 2000 13:55:35 -0700


i dont think this wouldnt work.  this is a great recipe to drop someone
off the map via spoofed traffic.

besides, if the traffic isnt spoofed, its probably a compromised host.
block it on your firewall, notify the appropriate people, move on is my
best advice.

this whole blackhole thing seems to be turning into a method of
administering punative damage, which would be a valid course of action
against a hostile host.

but i guarantee you that if you implimented something like this, people
would be abusing it to get innocent hosts blackholed long before the first
valid attacker got blackholed.

-jason storm
 jms () negation net

On Mon, 15 May 2000, Michael Damm wrote:

Idea: We get a lot of sysadmins to run this first off, and if someone say
starts scanning for bind and hits port 53 of every IP in a class-c, whoever
is the admin there can send something in to the list maintainer
(automated?). If two or three independent reports are received for a host,
it goes on the list. This makes a lot of sense to me since most
scriptkids/spammers/etc. are going to be going big time and scanning class
B's, class A's, and TLD's, not just probing random IP's.

For every time it receives a complaint its gets say 2.5 hours tacked on to
how long its blacklisted, i.e. the more trouble a host/network causes the
longer its in time out. Then if a dialup user is on a line, and causing
trouble for 2 hours, the longest that IP will be out of service is 12 hours
or something. When the entry hits the list, an automated email or something
is sent to relevant contact points, then if they don't bounce and the admin
cares to do anything about it he can contact the list maintainer and get
removed.

Overall, I like the idea. Abusers have Distributed Denial of Service, now we
have Distributed Response. (</buzzword>)

  -- mike

---____
  / __/ Michael Damm, Independent Security Consultant
 /__ /  Providing cost effective NDA bound outsourcing of security
/___/   solutions. Visit www.symetrix.org or call toll free 877.534.6247


----- Original Message -----
From: "Luff, Darryl" <DLuff () IITSCDM COM AU>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, May 15, 2000 5:03 PM
Subject: Re: [INCIDENTS] IP Black list?

Most of the scans I see come from dialup IP addresses. The machine doing

the

scans may only be onlyine for a couple of hours. I think by the time you
blacklisted them they're probably offline. How do you un-blacklist them?

Current thread:

Re: LJK2 rootkit?, (continued)
- - - Re: LJK2 rootkit? Omachonu Ogali (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 18)
    - Re: LJK2 rootkit? Omachonu Ogali (May 18)
    - Re: LJK2 rootkit? Jens Hektor (May 17)
    - Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
    - Korea Damian Gerow (May 17)
  - Re: IP Black list? Ryan Russell (May 16)
    - Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Luff, Darryl (May 15)
  - Re: IP Black list? Michael Damm (May 15)
    - Re: IP Black list? jms (May 15)
    - TCP/IP options flags? Matt Beck (May 16)
    - unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
    - Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Re: IP Black list? Volker Werth [VWSoft] (May 16)
- Re: IP Black list? Elliot Perrin (May 16)
  - Sniffer files Wozz (May 16)
    - Re: Sniffer files Randy Janinda (May 18)
    - Re: Sniffer files Robert Graham (May 18)
  - Re: IP Black list? Paul L Schmehl (May 16)
  - Re: IP Black list? Joe McAlerney (May 16)

(Thread continues...)