On Sun, 1 Apr 2007, Mikael Abrahamsson wrote:
If ISPs cannot be forced into running a 24/7/365 response function, I don't see the registry/registrars doing it.
Maybe if a body with the proper authority to penalize the ISP's were in order this wouldn't be an issue. Look at BGP dampening and route flaps for instance, something goes awry, the router is penalized. A quick check, all goes well, if not, an added penalty is given. Perhaps if some of these business were forced to get their acts in order, many of these issues would not be occurring.
Solving this at the DNS level is just silly, if you want to solve it it either you get to the core (block IP access, perhaps by BGP blacklisting) or go to level 8, ie the human level, and get these infected machines off the net permanently.
Solving this at the DNS issue is a better idea than having to hope that - by contacting someone clueful on level 8 - they'll 1) even understand what you mean, 2) understand how to address the issue. If you meant contacting the owner of the infected machine good luck. If you meant contacting the provider of the owner of the ISP, even better luck. Its far easier to accomplish some form of DNS filtering to block out infected machines, and even servers propagating infections. I've contacted who knows how many administrators of infections on their networks. Typically the response is "Contact our abuse team." Which is understandable being someone wants to keep in tune with policy, but heck some of these companies' policies are more of a facade if you ask me. Within the next month, I will be posting the networks, contacts, etc., of the dirtiest brute force pushing networks I've seen. If needed, I will re-post some of the absurd responses I've seen like one from NASA... And no its no April Fools joke... So a NASA address is brute forcing a machine of mine... I contact the admin listed on a whois and it gets sent to a CISSP gentleman... His response "We were doing some pen testing on our networks..." What? They were pentesting on their network yet I managed to get hit up in the mix. Right... Its not like the network connecting to mines was typed in accidentally, my network was in the 208.x.x.x range, theirs... Not even close.
So Gadi, to accomplish what you want you need to propose to the ISPs all over the net that what you're trying to do is so important that some entity publishing a realtime blacklist is important enough that all major ISPs should subscribe to a BGP blackhole list from there. Also that this is important enough to seriously violate the distributed structure of the net today that has made it into the raging success it is today. It's not perfect, but it works, and it doesn't have a single point of failure.
Single point of failure? I'm sure many can point out multiple points of failures. One thing I've been doing with my brute forcer blacklist (if you want to call it this) is blocking entire net blocks from accessing attacked machines. When admins contact me wondering why their clients cannot connect, the answer is simple for me. After a quick lookup of the bruteforcer list, I simply tell them that one(or many) hosts on their network have been ssh brute forcing some of my servers. Therefore their ENTIRE range was blocked. Quite frankly, I don't care if I have to block up to /6's (I've got one or two of APNIC's), I will do whatever it takes to make sure my networks stay clean and secure.
... and people have very bad experiences from blacklists not being maintained properly.
Funny you should mention... Nothing in this world has ever from the onset been a perfect invention/creation. Does this mean that if one implementation failed, the entire design is flawed. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey