Re: RBL-type BGP service for known rogue networks?

["Richard A. Steenbergen" <ras () e-gerbil net>]

On Thu, 6 Jul 2000 Valdis.Kletnieks () vt edu wrote:

> On Thu, 06 Jul 2000 12:22:09 PDT, Dan Hollis said:
> > Im not talking about spammer networks im talking about script kiddie
> > networks. We already have several systems for dealing with spammers but
> > none for script kiddies. (I cant be the only person who sees a problem 
> > with this picture?)
>
> The biggest problem is that it's a lot easier to verify that a given site
> is a spamhaus.  Remember that source IP addresses (which is all that your
> border router sees) are forgeable - making for a nice DOS attack.  Forge 
> packets from a competitor's site, get them labelled as a skriptz kiddie site,
> and BGP-blackholed.
                                
DoS attacks with possible spoofed source addresses would obviously not be 
a good criteria to blackhole by... Unauthorized mass vunerability scans on 
the other hand, COULD be. You'd have to make sure that it wasn't just a   
spoofed SYN flood designed to look like a scan, and that there were actual 
successfully opened sockets (this is assuming TCP scans). For certain 
things this pretty much entails setting up a "bait" server, perhaps 
binding a range of IPs on it, to look for at least the "obvious" scans. I 
suspect not as many people as you would think are qualified to setup and  
accurately use this kind of system (the number of stupid and paranoid 
people who will complain about innocent behavior is almost as high as the 
number of stupid and unconcerned people out there who will be 
compromised).

-- 
Richard A Steenbergen <ras () e-gerbil net>   http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)