Re: Lists of IP's we should be blocking

[Adam Shostack <adam () homeport org>]

On Sat, Dec 11, 2004 at 05:22:06PM -0800, Crispin Cowan wrote:
| Bruce Smith wrote:
| 
| >Is there a list of dangerous, evil IP's that should be blocked or at least
| >watched closely at the borders of the Internet? Address like virus targets,
| >root-kit sources and so forth.
| >
| >And what is the group's opinion on the idea of a general purpose dark IP
| >list?
| > 
| >
| I think the idea is good only for brushing off ankle-biter threats. The 
| problem is that serious attackers can acquire new IPs at will through a 
| substantial pool of zombie nodes on consumer broadband networks, and so 
| deliberate attacks that come at you will almost certainly *not* be on 
| anyone's dark IP list.

Not to mention, your real customers may well be on those zombie
machines.  If you're a bank, do you want your customers calling *your*
tech support line to fix their spyware problems?  

Admittedly, having your customers' passwords stolen is bad and
annoying.  But its probably less expensive *to you* than the support
call, unless your money transfer controls are weak.

If you're a bank, and your answer is yes, you want me calling with my
spyware concerns, please let me know which bank.  I'll have everyone I
know open up a $100 savings account with you so that people stop
calling me with their spyware problems.

The belief that a list of 'bad identities' will help security is
suprisingly persistant.  We see it distorting air travel safety.
(Just ask Congressmen Ted Kennedy or John Lewis, or any David Nelson
you meet, or Johnnie Thomas, or...)  Let's not let it distort internet
security as well.

Adam
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards