Re: IP Black list? (Track yes, Block no)

[bryan () VISI COM (Bryan Andersen)]

I've often thought of doing something like making an offenders
list of places that port scan me and posting the results.
Doing it globally for the internet is likely a much better
idea.  On the other hand I don't want others making the
decision to block x addresses at my site.  I will make those
decisions myself, and yes portions of Korea are blocked by
my firewall.

As for uses of the data.  I want it for helping to support
the need for creating more secure software and operating
systems.  At this point I don't feel most developers have
any clue how much scanning really goes on or for that matter
how many systems are compromised each day.

If one was to setup a tracking DB, what information would
be good to store?  The source IP#/port# and destination
numbers are a minimum.  Full packet headers?  Payload data?
Dest machine/OS (should not be made public)?

Another thing is how does one get a good idea the incoming
data is good?  I can see tracking the User ID and source IP#
of all data posted.  Other ideas?  Do we limit it to only
registered users, or allow a Anonymous Cowarad option?

Getting data into the DB.  Obviously there would be a web
front end.  I can also see a program that could directly
read tcpdump files to get the data?  It could be written
to send URLs with the data packed into them.  Consistancy
checking would still be done at the database end.

Just the starts of thoughts on this.  Letting my mind wander
where it will go...

-- Bryan

jms wrote:
> My proposal: perhaps it would be a more efficient if we simply started a
> consumer watchdog group that grades providers on the basis of incident
> response?  Offer a website which lists:  incident description,
> resolutions, comments from provider/client?
>
> It could provide insight into not only a providers attitude towards
> attacks originating from its network, but also attacks on its clients.
>
> Lets face it; one client telling a pre IPO upstream that they are
> terminating service because they suck ass doesnt change much.
>
> But one website tar and feathering an upstream for its negligence and
> receiving tons of hits a day might well make some waves.

and

Mike Shannon wrote:
> What if a legitimate orginization shares the same address space as an
> offender?  Should they pay for the actions of that offender even though they
> are not even associated with them? For example, 50 people lodge a complaint
> about 1.2.3.0/24 even though it is actually coming from something in the
> 1.2.3.0/28 address space.  Not only that but finding a group of unbiased
> people would be a tough thing to do.
>
> If there could be something similar to what www.netscan.org does, that would
> be useful.  Maybe something that logged the number of complaints and what
> kind of complaints they were.  This way network admins could make an
> intelligent decision about what to block.

--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |