RE: Lists of IP's we should be blocking

[Mark.Boltz () stonesoft com]

Hi,

> On a professional level I wouldn't like to cut legitimate clients off. 
On a
> personal level I believe that all hackers (in the criminal sense of the
> word) should be hung from the nearest flagpole, or absenting that, 
covered
> in honey and staked over an ant nest. They're like the drivers in South

Yeah, presuming you give them due process first. :-)

> It's all blame the hacker, blame the writer of the program, blame the
> insecure operating system or lack of firewalling or whatever. Slashdot
> carried a article about George Tenet saying that only security-aware 
people
> should be allowed access to the global internet and the users. And the

Ah but for the security stuff, often-times it *IS* still us to blame. I'm 
certainly not going to get my mom and dad to accomplish more than basic 
security on their home PC. I at least got them to put on a personal 
firewall, keep up with Windows updates and the latest anti-virus. And 
that's more than some. But you'll never get the dumbest off the 'net by 
making it based on security, because there won't be enough 
business/commerce/etc. then. I'd love to personally go back to 1990 
sometimes, when I was at a university, and universities were pretty much 
the only ones connected. But then the security was much worse, and the 
'net nowhere near as interesting as it is now. So nah, killing all the 
users isn't the answer. :-)

> Now here's a plan I've been working on, and partly built in our network.
> It's a temporary blacklist based on Snort IDS and our PIXes. Working 
from
> inside to out, if Snort detects an intrusion on the network, we 
dynamically
> throw them into the shun list for five minutes at which point they get

Wonderful. So all I need to piss off your cusotmers is to spoof their IPs 
and have your system do the rest of the work... :-) The problem with all 
of these ideas is that they rely on stuff that is based on the machines 
and technology, not the users, for identification.

> So what about this? You take several hundred Snort-based detectors 
scattered
> around the Internet, all reporting to a small number of highly secure
> machines via custom software. These IDS keep a look for a limited number 
of
> intrusions and report first and repeat offenses to the central machines.
> Based on frequency of offenses, number of repeat offenses and severity 
of
> the offense, the source of the offense goes into a blacklist and e-mail 
is
> sent to the abuse@ address. Use this to put pressure on ISPs to detect 
and
> block this sort of thing in the same way, offer them the software 
solution
> for free to let them do it.

How about we just get the ISPs to put the proper ingress and egress 
filtering in their routers and switches in the first place? If everyone 
upstream would do that, I should not see most of the virus traffic and 
scans in the first place. Just cover the SANS Top 10 in general and 
really, truly ONLY ALLOW WHAT IS NEEDED.

Linksys, NetGear and D-Link could do the world a favor and configure home 
cable/DSL routers to only allow HTTP, SMTP, and FTP out by default. 
Instead of everything, including NetBIOS and other stuff that should never 
leave the local LAN. The rest of us who need other services should be 
capable enough to configure it to be more open.

Really, "whack a mole" (credit to mjr?) is not the answer...the problem is 
people allow much more than just known good traffic.

Mark Boltz