Re: IP Black list?

[mike.shannon () INFOMOVE COM (Mike Shannon)]

What if a legitimate orginization shares the same address space as an
offender?  Should they pay for the actions of that offender even though they
are not even associated with them? For example, 50 people lodge a complaint
about 1.2.3.0/24 even though it is actually coming from something in the
1.2.3.0/28 address space.  Not only that but finding a group of unbiased
people would be a tough thing to do.

If there could be something similar to what www.netscan.org does, that would
be useful.  Maybe something that logged the number of complaints and what
kind of complaints they were.  This way network admins could make an
intelligent decision about what to block.

Just my 2 cents,

Mike Shannon :: Sr. Network Admin :: InfoMove, Inc.
email. mike.shannon () infomove com :: phone. 425-576-4677

-----Original Message-----
From: Ed Padin [mailto:epadin () WAGWEB COM]
Sent: Monday, May 15, 2000 9:00 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: IP Black list?

I think it's a great idea! It's a little harder to implement than the SPAM
black list. You have to make sure that complaints of an IP address come from
a lot more sources and there has to a line drawn as to how much is real
crack attempts. The jury is still out on whether port scanning is considered
a innocent bahavior. Where do you draw the line? In the case of demon
internet, they say that their routers are misbehaving. Maybe they are
telling the truth (doubtful, but how do you disprove it.). At the very
least, they do respond to complaints unlike the Korean universities.

> -----Original Message-----
> From: Stuart Staniford [mailto:stuart () SILICONDEFENSE COM]
> Sent: Thursday, May 11, 2000 1:56 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: IP Black list?
>
>
> I'm curious to know what folks think of the idea of a
> real-time blacklist
> for misbehaving IP addresses/blocks.  Some reputable
> person/organization
> could maintain it, trusted folks known to the co-ordinator
> could recommend
> IPs to blockade, and then anyone who chose to could implement
> the list into
> router or firewall rules.
>
> We could start by putting demon.co.uk into it until they stop
> spraying the
> world with bad packets and repeating the same lame excuses for why they
> still haven't stopped whatever is causing that.  It would also
> be a good
> place to put Korean Universities and schools, etc that
> constantly scan us
> and never respond to complaints.  If use of it became widespread, this
> would tend to exert social pressure on bad parts of IP space
> to clean up
> their act.  Their users wouldn't be able to get to lots of parts of the
> Internet until they satisfied the blacklist co-ordinator that
> the problem
> was resolved.
>
> Thoughts?
>
> Stuart.
>
> --
> Stuart Staniford  ---  President  ---  Silicon Defense
>                   stuart () silicondefense com
> (707) 445-4355                     (707) 445-4222 (FAX)