Re: RBL-type BGP service for known rogue networks?

[Joe Shaw <jshaw () insync net>]

On Thu, 6 Jul 2000, Tony Mumm wrote:

>  David Charlap <david.charlap () marconi com>
>     wrote
> > I don't know if this what you were observing, but the MAPS RBL can be
> > used in this capacity.  See also:
> >
> >     http://www.mail-abuse.org/rbl/usage.html#BGP
> >
> > Of course, you'd want a different database for blocking script kiddies.
> >
> > -- David
>
> I think that is similar to what you want....and it might be adequate
> against scanners and other simple hacks.   I don't think it would be
> worth anything against a flood, the flood isn't going to care
> that it sees nothing coming back from your network.    It might 
> discourage someone if they see no ECHO_REPLYs coming back from their 10 Mbit
> smurf....but it probably wouldn't be long before they just stop caring.

Technically, no one would see ECHO_REPLYs coming back from any type of
smurf, no matter the size.  It's just the nature of the beast.

My personal belief is that blocking people who port scan is a silly
thing.  At least, according to federal law, port scanning isn't
illegal.  Your state might have loosely worded statutes that cover it,
but that's another matter.  Also, it's possible to forge every type of
stealth scan known to man, because the scan is really only one packet with
different TCP options set.  No three-way handshake, and therefore no real
proof.  The only scan that shouldn't be possible to spoof (how secure are
you TCP sequence numbers?) is a TCP connect scan.

Of course, this is all moot if you're talking about vulnerability
scanners that just churn through IP space, and in that case, please feel
free to ignore me.

I'm beginning to take a liking to Marcus Ranum's idea of taking these
matters into civil court.  He joked at USENIX that he'd probably make a
killing if he just did referrals to high-paid lawyers for people looking
to take script kiddies and their parents to court.  It's really not that
hard to track these kids down, thanks to their IRC usage.  I had tracked
mosthateD down to his street address before he was raided.  Of course, it
was somewhat personal, and he lived not too far from where I grew
up.  Also, in his case, it's probably worth noting that there probably
wasn't much to get from him or his mother in court, even if she did go out
and buy him another computer the day after he got raided and praised him
for being "so smart" on 20/20.  Smart people don't generally deface web
pages, or get caught.

skript kiddie crackers are only a threat because enough of them haven't
been hit with a sufficiently large physical or monetary lart.

let the larting beging.

__
joseph w. shaw
sr. security specialist
some company that isn't associated with this account