Security Incidents mailing list archives
Re: IP Black list? -- NONONONONONONONO!!!
From: mikem () CRAVETECHNOLOGY COM (Michael Merideth)
Date: Tue, 16 May 2000 15:59:19 -0600
Paul L Schmehl wrote:
--On Monday, May 15, 2000 4:22 PM -0600 Michael Merideth <mikem () CRAVETECHNOLOGY COM> wrote:If you want to be ultra-paranoid about portscans, install portsentry. Don't hand control of your routers over to some alien organization, no matter how benign and trustworthy it seems.It's amazing to me how many people completely miss the point of blocking services. Methods like the RBL are completely voluntary. No one forces you to use them, and if you find you don't like them, you just drop the service. Furthermore, you are not "handing over" control of your network to someone else. It's your router, and you configure it to use or not use the services that are available. You can implement filters that ignore certain listings in the RBL if you must do business with those networks. You are always in complete control of your own routers.
Maybe in a vaccuum, but in the real world, most admins follow the FAQ on getting RBL or whatever set up, and then let it do it's thing without thinking about it again. In effect, they are handing over control of who they recieve mail from to the RBL. Yes, anyone with a brain fully realizes that you can un-subscribe, but until you do that YOU ARE NOT IN CONTROL. Most of the network admins I know would be too busy to parse such a database to look for friendly blocks to let through. So in the real world, someone who decided to use this service would, in a very real sense, be handing control of their router over to someone else. Yes, they can still pull the plug. That's not the point. You are not "in control" if you do not exercise that control.
Implementing a list like this is not "taking over" anything. It's simply making another service available for admins to use, if they choose to. And it beats the hell out of every admin on the earth implementing their own "custom" blocks.
And the other point which several people have made, is that when a service like this is deployed outside of a vaccuum (i.e. in the real world), it becomes a big political stick to whack your enemies with. I've had mail servers stuck on the RBL because someone couldn't figure out how to unsubscribe to a mailing list they'd subscribed themselves to. I've seen threats to be RBL-ed because of "mailer daemon" bounce messages. I can see it now: some ISP has a user who gets into a fight on IRC. Next thing you know their netblock is blackholed. This theoretical blackhole organization would require major funding to have enough staff to actually investigate claims before adding someone to the list, and an investigation would take precious time that would render the list ineffective, anyway. So how hard would it be to falsify a claim against an enemy? Or, as many have pointed out, why not just spoof a few nmap scans? That's great; this means that I don't even have to subscribe to the service and I'll have this organization telling me what to do with my network and my users with no specific site knowledge. Thanks a lot. This is what I trained for.
If you were blackholed for abuse on your network, which would you prefer? Notifying one source that the problem was resolved? Or attempting to notify every admin in the world that had blocked you at their routers? The answer seems obvious to me.
Less obvious to me. In the absence of this blackhole system, you would rarely find yourself spontaineously blocked by large numbers of remote networks unless you were truly up to no good, and in a big way. I would much rather talk to one individual who has blocked me, then deal with a beurocracy that has responded to one individual's complaint by blocking me the world over (don't forget the presumption of guilt that such organizations have to adopt in order to be effective). I've dealt with the attitude of Vixie's RBL (and even more benign organizations like the ORBS); I'll take an individual any day. Let's also not forget the point I made about user privacy, which you didn't address. I don't want to have to sniff everything that every one of my users does, just as I don't want everything I do online scrutinized by my service provider. Would this system not require me to do just this, however? I would, if I had any hope of offering sufficient resolution to the organization administering the list once I got blackholed. Lastly, could a false claim resulting in the blockage of a netblock be considered libel, or defamation of character? Is not a denial of service attack grounds enough to pursue legal recourse these days, and could action taken by this organization not be construed as a denial of service attack? I bet there's more than a few lawyers out there that are willing to argue both of those points. This organization would have to be well funded and well defended against the steady stream of lawsuits that would ensue. It's an impractical idea, and even if it were practical, it would still be a bad idea. The "control of the router" issue is only a small facet of why it is a bad idea. Mike Merideth
Current thread:
- Re: IP Black list? Adam Kirby (May 15)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 15)
- Re: IP Black list? -- NONONONONONONONO!!! Paul L Schmehl (May 16)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 16)
- R: LJK2 rootkit? Andrea Vettori (May 17)
- Lance Spitzner Audio interview on Forensics and Honeypots Alfred Huger (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- Re: IP Black list? -- NONONONONONONONO!!! Paul L Schmehl (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- <Possible follow-ups>
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
(Thread continues...)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 15)