Security Incidents mailing list archives
Re: IP Black list?
From: mike.shannon () INFOMOVE COM (Mike Shannon)
Date: Mon, 15 May 2000 15:11:27 -0700
What if a legitimate orginization shares the same address space as an offender? Should they pay for the actions of that offender even though they are not even associated with them? For example, 50 people lodge a complaint about 1.2.3.0/24 even though it is actually coming from something in the 1.2.3.0/28 address space. Not only that but finding a group of unbiased people would be a tough thing to do. If there could be something similar to what www.netscan.org does, that would be useful. Maybe something that logged the number of complaints and what kind of complaints they were. This way network admins could make an intelligent decision about what to block. Just my 2 cents, Mike Shannon :: Sr. Network Admin :: InfoMove, Inc. email. mike.shannon () infomove com :: phone. 425-576-4677 -----Original Message----- From: Ed Padin [mailto:epadin () WAGWEB COM] Sent: Monday, May 15, 2000 9:00 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: IP Black list? I think it's a great idea! It's a little harder to implement than the SPAM black list. You have to make sure that complaints of an IP address come from a lot more sources and there has to a line drawn as to how much is real crack attempts. The jury is still out on whether port scanning is considered a innocent bahavior. Where do you draw the line? In the case of demon internet, they say that their routers are misbehaving. Maybe they are telling the truth (doubtful, but how do you disprove it.). At the very least, they do respond to complaints unlike the Korean universities.
-----Original Message----- From: Stuart Staniford [mailto:stuart () SILICONDEFENSE COM] Sent: Thursday, May 11, 2000 1:56 PM To: INCIDENTS () SECURITYFOCUS COM Subject: IP Black list? I'm curious to know what folks think of the idea of a real-time blacklist for misbehaving IP addresses/blocks. Some reputable person/organization could maintain it, trusted folks known to the co-ordinator could recommend IPs to blockade, and then anyone who chose to could implement the list into router or firewall rules. We could start by putting demon.co.uk into it until they stop spraying the world with bad packets and repeating the same lame excuses for why they still haven't stopped whatever is causing that. It would also be a good place to put Korean Universities and schools, etc that constantly scan us and never respond to complaints. If use of it became widespread, this would tend to exert social pressure on bad parts of IP space to clean up their act. Their users wouldn't be able to get to lots of parts of the Internet until they satisfied the blacklist co-ordinator that the problem was resolved. Thoughts? Stuart. -- Stuart Staniford --- President --- Silicon Defense stuart () silicondefense com (707) 445-4355 (707) 445-4222 (FAX)
Current thread:
- Re: IP Black list? -- NONONONONONONONO!!!, (continued)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 16)
- R: LJK2 rootkit? Andrea Vettori (May 17)
- Lance Spitzner Audio interview on Forensics and Honeypots Alfred Huger (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)