Re: Compromised hosts lists

[Frank Knobbe <frank () knobbe us>]

On Mon, 2006-02-20 at 22:40 -0500, Valdis.Kletnieks () vt edu wrote:
> On Mon, 20 Feb 2006 16:55:06 MST, James Lay said:
> > I had heard tale of a site that had a semi-updated list of compromised
> > hosts.  I was hoping that someone knows that link...would LOVE to be
> > able to get my firewall to get this list and auto-create an iptables
> > rule.  Thanks all!
>
> The secure way to do this is to first deny *all* traffic, and then add
> specific rules for machines that you *do* want to talk to.

Would you apply the same thinking to *outbound* traffic by first denying
all outbound traffic, and then adding rules for, say eBay, Slashdot,
etc?

While real time firewall blocking of inbound threats reaches exhaustion
fast, I think a real time block of threats that you might accidentally
connect to outbound (like phishing sites or botnet C&Cs) does indeed
make sense as a) the volume is typically lower, and b) you usually
restrict outbound traffic only by port/service . What are your thoughts
on that?

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/