Security Incidents mailing list archives

Re: IP Black list?

From: root () RGFSPARC CR USGS GOV (Robert G. Ferrell)
Date: Tue, 16 May 2000 09:11:37 -0500

I'm curious to know what folks think of the idea of a real-time blacklist
for misbehaving IP addresses/blocks.  Some reputable person/organization
could maintain it, trusted folks known to the co-ordinator could recommend
IPs to blockade, and then anyone who chose to could implement the list into
router or firewall rules.


Hi Stuart,

I certainly understand your frustration with misbehaving IPs, and I think
something should be done to encourage the administrators of those IPs to
clean up their acts.  However, I'm a little reluctant to lend my support to
a blacklist.  I've known very competent admins who've had systems put on the
ORBS blacklist before because they were relaying mail (and none of the
situations were simple cases of accidental misconfiguration).  While I
understand their reasoning, the attitude they've adopted is (IMO) arrogant and
sanctimonious, and their world view is, for my taste, a bit too black and white.
Testing a mail server for an open relay is equivalent to other forms of
fingerprinting, AFAIC.

While having the Internet police itself is the best way to run things, I think,
it is important that as we do so we subscribe not only to the practice of
competency, but also to that of civility.  If we could operate this database in
such a way that does not insult the (alleged) violators and takes into account
any special circumstances that surround a seeming violation, then it could be of
great use.  But let's not call it a "blacklist."  That's pretty demeaning.  How
about simply a Database of Potentially Problem IP Addresses, or something along
those lines?

Cheers,

RGF

Robert G. Ferrell, CISSP
Information Systems Security Officer
National Business Center, US DoI
Robert_G_Ferrell () nbc gov
------------------------------------------------------------
Nothing I have ever said should be construed as even vaguely
representing an official statement by the NBC or DoI.
------------------------------------------------------------

Current thread:

TCP/IP options flags?, (continued)
- - - TCP/IP options flags? Matt Beck (May 16)
    - unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
    - Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Re: IP Black list? Volker Werth [VWSoft] (May 16)
- Re: IP Black list? Elliot Perrin (May 16)
  - Sniffer files Wozz (May 16)
    - Re: Sniffer files Randy Janinda (May 18)
    - Re: Sniffer files Robert Graham (May 18)
  - Re: IP Black list? Paul L Schmehl (May 16)
  - Re: IP Black list? Joe McAlerney (May 16)
- Re: IP Black list? Robert G. Ferrell (May 16)
- Re: IP Black list? Tarkington, William (W.) (May 16)
- Re: IP Black list? Elliot Perrin (May 17)