On Thu, 6 Jul 2000 Valdis.Kletnieks@vt.edu wrote:
On Thu, 06 Jul 2000 12:22:09 PDT, Dan Hollis said:
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?)
The biggest problem is that it's a lot easier to verify that a given site is a spamhaus. Remember that source IP addresses (which is all that your border router sees) are forgeable - making for a nice DOS attack. Forge packets from a competitor's site, get them labelled as a skriptz kiddie site, and BGP-blackholed.
DoS attacks with possible spoofed source addresses would obviously not be a good criteria to blackhole by... Unauthorized mass vunerability scans on the other hand, COULD be. You'd have to make sure that it wasn't just a spoofed SYN flood designed to look like a scan, and that there were actual successfully opened sockets (this is assuming TCP scans). For certain things this pretty much entails setting up a "bait" server, perhaps binding a range of IPs on it, to look for at least the "obvious" scans. I suspect not as many people as you would think are qualified to setup and accurately use this kind of system (the number of stupid and paranoid people who will complain about innocent behavior is almost as high as the number of stupid and unconcerned people out there who will be compromised). -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)