On Sun, Jan 11, 2015 at 6:46 AM, Mike Hammett <nanog@ics-il.net> wrote:
You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web, etc. You have more than say 5 bad login attempts to my mail server in 5 minutes, blackholed for 30 days. You're trying to access various web pages known for home router or Wordpress exploitation, blackholed for 30 days.
I urge caution in building automatic systems to respond to network abuse, lest you have unanticipated consequences. How are you tracing the source for DNS UDP, NTP UDP, etc, requests? Or TCP SYNs? If you say source address in the packet, you might not be doing what you think you're doing. Or for that matter HTTP accesses. Without giving too much discussion, let me point out: 1) You can forge a victim's IP and send packets to a honeypot (or indeed the entire IPv4 internet if you want). You may not want to assume "I see a packet with this claimed source being sent to X, so it must be a bad guy and I should block it." 2) Web crawlers will follow links from Bad Guy's Site to your website, even if these links might match an IDS signature on your end. You may not want to block some search engine crawlers. 3) Legitimate recursive DNS servers can be made to connect to any IP address a bad guy wants them to connect to. You may not want to block some ISP's recursive DNS servers. There are good things to do automatically, but make sure you think them through. I used to do click fraud detection 15 years ago - when that was still a new field and we all were inventing our own ways of doing it. I was amazed at the number of ways a bad guy could do an HTTP request from millions of source IPs (hint: they weren't spoofed). I suspect it hasn't gotten better. The internet isn't able to be broken because the people building and running it are idiots. It's able to be broken because breaking things has always been far easier than building them. It takes much more intelligence, skill, and expertise to build a glass window than to throw a brick through one.