Security Incidents mailing list archives
Re: IP Black list? (Track yes, Block no)
From: bryan () VISI COM (Bryan Andersen)
Date: Tue, 16 May 2000 08:08:54 -0500
I've often thought of doing something like making an offenders list of places that port scan me and posting the results. Doing it globally for the internet is likely a much better idea. On the other hand I don't want others making the decision to block x addresses at my site. I will make those decisions myself, and yes portions of Korea are blocked by my firewall. As for uses of the data. I want it for helping to support the need for creating more secure software and operating systems. At this point I don't feel most developers have any clue how much scanning really goes on or for that matter how many systems are compromised each day. If one was to setup a tracking DB, what information would be good to store? The source IP#/port# and destination numbers are a minimum. Full packet headers? Payload data? Dest machine/OS (should not be made public)? Another thing is how does one get a good idea the incoming data is good? I can see tracking the User ID and source IP# of all data posted. Other ideas? Do we limit it to only registered users, or allow a Anonymous Cowarad option? Getting data into the DB. Obviously there would be a web front end. I can also see a program that could directly read tcpdump files to get the data? It could be written to send URLs with the data packed into them. Consistancy checking would still be done at the database end. Just the starts of thoughts on this. Letting my mind wander where it will go... -- Bryan jms wrote:
My proposal: perhaps it would be a more efficient if we simply started a consumer watchdog group that grades providers on the basis of incident response? Offer a website which lists: incident description, resolutions, comments from provider/client? It could provide insight into not only a providers attitude towards attacks originating from its network, but also attacks on its clients. Lets face it; one client telling a pre IPO upstream that they are terminating service because they suck ass doesnt change much. But one website tar and feathering an upstream for its negligence and receiving tons of hits a day might well make some waves.
and Mike Shannon wrote:
What if a legitimate orginization shares the same address space as an offender? Should they pay for the actions of that offender even though they are not even associated with them? For example, 50 people lodge a complaint about 1.2.3.0/24 even though it is actually coming from something in the 1.2.3.0/28 address space. Not only that but finding a group of unbiased people would be a tough thing to do. If there could be something similar to what www.netscan.org does, that would be useful. Maybe something that logged the number of complaints and what kind of complaints they were. This way network admins could make an intelligent decision about what to block.
-- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
Current thread:
- Re: IP Black list? -- NONONONONONONONO!!!, (continued)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 15)
- Re: IP Black list? -- NONONONONONONONO!!! Paul L Schmehl (May 16)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 16)
- R: LJK2 rootkit? Andrea Vettori (May 17)
- Lance Spitzner Audio interview on Forensics and Honeypots Alfred Huger (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- Re: IP Black list? -- NONONONONONONONO!!! Paul L Schmehl (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Michael Merideth (May 15)