On Thu, 6 Jul 2000, Tony Mumm wrote:
David Charlap <david.charlap@marconi.com> wrote
I don't know if this what you were observing, but the MAPS RBL can be used in this capacity. See also:
http://www.mail-abuse.org/rbl/usage.html#BGP
Of course, you'd want a different database for blocking script kiddies.
-- David
I think that is similar to what you want....and it might be adequate against scanners and other simple hacks. I don't think it would be worth anything against a flood, the flood isn't going to care that it sees nothing coming back from your network. It might discourage someone if they see no ECHO_REPLYs coming back from their 10 Mbit smurf....but it probably wouldn't be long before they just stop caring.
Technically, no one would see ECHO_REPLYs coming back from any type of smurf, no matter the size. It's just the nature of the beast. My personal belief is that blocking people who port scan is a silly thing. At least, according to federal law, port scanning isn't illegal. Your state might have loosely worded statutes that cover it, but that's another matter. Also, it's possible to forge every type of stealth scan known to man, because the scan is really only one packet with different TCP options set. No three-way handshake, and therefore no real proof. The only scan that shouldn't be possible to spoof (how secure are you TCP sequence numbers?) is a TCP connect scan. Of course, this is all moot if you're talking about vulnerability scanners that just churn through IP space, and in that case, please feel free to ignore me. I'm beginning to take a liking to Marcus Ranum's idea of taking these matters into civil court. He joked at USENIX that he'd probably make a killing if he just did referrals to high-paid lawyers for people looking to take script kiddies and their parents to court. It's really not that hard to track these kids down, thanks to their IRC usage. I had tracked mosthateD down to his street address before he was raided. Of course, it was somewhat personal, and he lived not too far from where I grew up. Also, in his case, it's probably worth noting that there probably wasn't much to get from him or his mother in court, even if she did go out and buy him another computer the day after he got raided and praised him for being "so smart" on 20/20. Smart people don't generally deface web pages, or get caught. skript kiddie crackers are only a threat because enough of them haven't been hit with a sufficiently large physical or monetary lart. let the larting beging. __ joseph w. shaw sr. security specialist some company that isn't associated with this account