On 15 May 2002, Johannes B. Ullrich wrote:
What about scans done from different networks other than that which the supposed attacker is originating from. Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again.
Yes. Part of such blackholing would be hoped to have a "behaviour modification" effect the same way that RBL does. Many NOCs/admins are too apathetic/lazy/incompetent/toothless to do anything about shutting down compromised boxes/script kiddies. Blackholing them from the net would provide motivation. And some protection against those attackers. When management can no longer download their pr0n you can damn well bet they will "want it fixed NOW" and will give whatever authorization required to do it. Well, you get the point. :P It's not intended to be perfect. It's intended to make life more difficult for attackers, and to reduce impact of attacks at least a little bit. And motivate lazy networks to fix their broken shit. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]