Security Incidents mailing list archives

IP blacklists

From: phi-incident () EXORSUS NET (phi-incident () EXORSUS NET)
Date: Wed, 17 May 2000 08:53:40 +1000


Just a note regarding the current arguments against the blacklist, I have
seen a lot of people simply throw away the idea with the statement that
they could obviously "just spoof some packets" from someone they didn't
like and have them blackholed.

None of the current mail blackhole systems would act on that level of
information (equivalent to me telling the RBL "Bob relays!" and having
Bobs network blackholed straight off), even ORBS, the least forgiving of
the lists, does actually check itself. I would anticipate that this
blacklist, should it wish to become anything more than a novelty, would
naturally use tactics similar to the RBL and others, ie, several
complaints must be filed, the offender themselves would be contacted and
given a chance to explain/patch things up, and a decent amount of effort
made to ensure that as soon as things were fixed, the offender would be
removed from the list.

On top of that I would recommend multiple levels of severity for
blackholed entities, such that administrators running machines where
security rather than connectivity was paramount, they could select
"Utterly paranoid" level and have their system blackhole IPs that had only
a minimal amount of checking (perhaps, multiple complaints registered,
contact hasn't replied in 3 days), whereas ISPs etc could run under "Most
confirmed" level and only be blackholing those addresses people were
_sure_ were bad, and which looked as if there was little hope of ever
getting repaired.

Certainly there are issues to do with who makes such judgements, but with
the careful creation of a charter for the service, and multi-level blocks
with a well defined set of rules explaining how entities would move
between levels, such issues could be minimalised. Interaction between
humans, which this by necessity must be, will always be partially
political, but I think this problem is well defined enough that the
politics could be reduced to background noise.

It is a good, but potentially dangerous idea, and most certainly worthy of
far more consideration than it is currently recieving.

Phi.

Current thread:

Re: IP Black list? -- NONONONONONONONO!!!, (continued)
- - Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
  - Re: IP Black list? jms (May 14)
    - Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
  - You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? Mike Shannon (May 15)
  - LJK2 rootkit? Felix Schueren (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 16)
    - IP blacklists phi-incident () EXORSUS NET (May 16)
    - Re: LJK2 rootkit? Omachonu Ogali (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 18)
    - Re: LJK2 rootkit? Omachonu Ogali (May 18)
    - Re: LJK2 rootkit? Jens Hektor (May 17)
    - Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
    - Korea Damian Gerow (May 17)
  - Re: IP Black list? Ryan Russell (May 16)
    - Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Luff, Darryl (May 15)
  - Re: IP Black list? Michael Damm (May 15)

(Thread continues...)