Security Incidents mailing list archives
Re: IP Black list?
From: wtarking () FORD COM (Tarkington, William (W.))
Date: Tue, 16 May 2000 16:24:10 -0400
Oddly enough that's pretty much the same system BGP uses for flapping routes. If you make an identical system as the BGP RFC then you do no more damage than that protocol which runs the internet. --------------------- As always my opinions are mine. And probably not worth the 2 cents. Will -----Original Message----- From: Michael Damm [mailto:symetrix () symetrix org] Sent: Tuesday, May 16, 2000 2:24 AM To: INCIDENTS () securityfocus com Subject: Re: IP Black list? When I first saw this thread I promised myself I'd keep quiet on it since it really isn't a security issue, but my two cents are burning a hole in my pocket. Idea: We get a lot of sysadmins to run this first off, and if someone say starts scanning for bind and hits port 53 of every IP in a class-c, whoever is the admin there can send something in to the list maintainer (automated?). If two or three independent reports are received for a host, it goes on the list. This makes a lot of sense to me since most scriptkids/spammers/etc. are going to be going big time and scanning class B's, class A's, and TLD's, not just probing random IP's. For every time it receives a complaint its gets say 2.5 hours tacked on to how long its blacklisted, i.e. the more trouble a host/network causes the longer its in time out. Then if a dialup user is on a line, and causing trouble for 2 hours, the longest that IP will be out of service is 12 hours or something. When the entry hits the list, an automated email or something is sent to relevant contact points, then if they don't bounce and the admin cares to do anything about it he can contact the list maintainer and get removed. Overall, I like the idea. Abusers have Distributed Denial of Service, now we have Distributed Response. (</buzzword>) -- mike ---____ / __/ Michael Damm, Independent Security Consultant /__ / Providing cost effective NDA bound outsourcing of security /___/ solutions. Visit www.symetrix.org or call toll free 877.534.6247 ----- Original Message ----- From: "Luff, Darryl" <DLuff () IITSCDM COM AU> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, May 15, 2000 5:03 PM Subject: Re: [INCIDENTS] IP Black list?
Most of the scans I see come from dialup IP addresses. The machine doing
the
scans may only be onlyine for a couple of hours. I think by the time you blacklisted them they're probably offline. How do you un-blacklist them?
Current thread:
- unapproved update from [166.93.60.5].61946, (continued)
- unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
- Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Re: IP Black list? Volker Werth [VWSoft] (May 16)
- Re: IP Black list? Elliot Perrin (May 16)
- Sniffer files Wozz (May 16)
- Re: Sniffer files Randy Janinda (May 18)
- Re: Sniffer files Robert Graham (May 18)
- Re: IP Black list? Paul L Schmehl (May 16)
- Re: IP Black list? Joe McAlerney (May 16)
- Sniffer files Wozz (May 16)
- Re: IP Black list? Robert G. Ferrell (May 16)
- Re: IP Black list? Tarkington, William (W.) (May 16)
- Re: IP Black list? Elliot Perrin (May 17)