Do you think that the car thief scenario comes into play here? Maybe an alarm system wont *really* keep a determined thief from stealing a car, but isn't he more likely to move onto something easier? And, yes, I do understand the mentality of the "bigger challenge". But, I've been able to identify the true source of a forged packet and filter it knowing that they could switch to attacking from another IP. However, I think only once or twice out of thirty or so incidents over the past few years have they come back in anytime soon from anywhere else. Karyn -----Original Message----- From: jlewis@lewis.org [mailto:jlewis@lewis.org] Sent: Thursday, July 06, 2000 2:35 PM To: Dan Hollis Cc: nanog@merit.edu Subject: Re: RBL-type BGP service for known rogue networks? On Thu, 6 Jul 2000, Dan Hollis wrote:
1) Someone sets up server X on company Y network and starts rooting sites. 2) company Y, once notified, refuses to shut down server X, even when its been CONFIRMED server X is indeed rooting sites. 3) company Y has a HISTORY of such attacks and refuses to take any action.
tin.it obviously fits all 3 criteria and thus would be blackholed. it might not get them to change their behaviour, but at least people who subscribe to the blackhole list wouldnt be rooted by tin.it customers
Except that any good script kid has root on numerous boxes. Just blocking a well known site full of rooted boxes probably won't do much good since they crack and scan from random boxes all over the world as they root them. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________