On Thu, 6 Jul 2000, Dan Hollis wrote:
Is there any RBL-type BGP service for blackholing known rogue networks? Eg, networks which harbor script kiddies and refuse to take any action when notified of ongoing attacks?
I am not currently aware of one, but at least we [have] placed considerable thought on providing it as an optional service for some customers, especially the co-located servers. Having been involved with some 'We are the good guys, and we only try to help you.' abuse projects in the past, I'd say it just isn't worth it. Addresses bounce, people have no clue how they could help you, some *do* threaten you with lawsuits, the list goes on... and yes, it's very time-consuming. I think somebody already put it nicely - there's a certain balance. All the sites offering the material, all the dialup- spools they could access and all the networks with insecure (individual) boxes. You take all of them out and there wouldn't be many providers left. You don't? Well, good bye filter-efficiency. A very simple reason for seeing numerous scans all from the same provider could be just the fact they are big. Very few of us can probably claim to know all the major foreign providers working in the cable/adsl/dialup-business. For example tin.it - it's actually Telecom Italia. Blocking the whole of it would be quite hilarious. BT next? % host -l -a tin.it|wc -l # i know, this doesn't prove anything. 156458 % Perhaps they offer free dialups. *shiver* Anyway, even if they were as friendly as ever, I doubt they could do much. Personally I can't even remember their hostnames popping up in (m)any of our log-analyzers. Very rarely do I recall seeing any clear patterns in the IPs reported - the individual IPs do get firewalled automatically here, for 48 (or 24) hours, as soon as they turn up on the few decoys we have up. As for abuse in general - Better not forget the tens of thousands of open proxies on the net. Connection to port 1080 (SOCKS) and tadah, free relays. I'd rather waste my energy on dealing with law-enforcement to actually get the baddies punished and castrated. Or, alternatively, just hiring more people to take care of your network/co-lo security. Worth it.
-Dan
-- Ville(viha\@cryptlink.net, 'Cryptlink Networking'); // Information-Security Coordination && IPv6 Solutions