Security Incidents mailing list archives
IP blacklists
From: phi-incident () EXORSUS NET (phi-incident () EXORSUS NET)
Date: Wed, 17 May 2000 08:53:40 +1000
Just a note regarding the current arguments against the blacklist, I have seen a lot of people simply throw away the idea with the statement that they could obviously "just spoof some packets" from someone they didn't like and have them blackholed. None of the current mail blackhole systems would act on that level of information (equivalent to me telling the RBL "Bob relays!" and having Bobs network blackholed straight off), even ORBS, the least forgiving of the lists, does actually check itself. I would anticipate that this blacklist, should it wish to become anything more than a novelty, would naturally use tactics similar to the RBL and others, ie, several complaints must be filed, the offender themselves would be contacted and given a chance to explain/patch things up, and a decent amount of effort made to ensure that as soon as things were fixed, the offender would be removed from the list. On top of that I would recommend multiple levels of severity for blackholed entities, such that administrators running machines where security rather than connectivity was paramount, they could select "Utterly paranoid" level and have their system blackhole IPs that had only a minimal amount of checking (perhaps, multiple complaints registered, contact hasn't replied in 3 days), whereas ISPs etc could run under "Most confirmed" level and only be blackholing those addresses people were _sure_ were bad, and which looked as if there was little hope of ever getting repaired. Certainly there are issues to do with who makes such judgements, but with the careful creation of a charter for the service, and multi-level blocks with a well defined set of rules explaining how entities would move between levels, such issues could be minimalised. Interaction between humans, which this by necessity must be, will always be partially political, but I think this problem is well defined enough that the politics could be reduced to background noise. It is a good, but potentially dangerous idea, and most certainly worthy of far more consideration than it is currently recieving. Phi.
Current thread:
- Re: IP Black list? -- NONONONONONONONO!!!, (continued)
- Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Michael Damm (May 15)