On Fri, May 17, 2002 at 01:00:52AM -0700, Dan Hollis <DH> said, in response to a message on Thu, 16 May 2002 by Dragos Ruiu <DR>: <DR> But how do you plan to arbitrate disputes about what merits blackholing <DR> and not on behalf of others? And what guidelines do you use to decide <DR> on how to initiate black holing? (not critical here, just curious?) there are no disputes. It's like using the RBL - what I decide to do with my network is my business. If somebody else doesn't like it, they can do business elsewhere. Everybody wants to do as they please on the Big Wide Net, but they also want to be able to tell everybody else how to play. Can't have it both ways. <DH> Thats the beauty here, one can provide multiple databases (eg rogue <DH> networks which refuse to shutdown their portscanners, proven spamhausen in <DH> bed with spammers, proven active attackers, etc.) and service providers <DH> can opt in as they like, and apply whatever policy to those routes that <DH> they like. The simple addition of a default action in the land mine/blackhole BGP idea would take away most of the protests, I think: after X scans, mail WHOIS contact for the network in question saying "You have scanned us. Please clean up your network, or risk being blackholed." If no response is received, and scans continue, blackhole. Simple as that, and puts responsibility back on the shoulders of the offending network. <DH> > Why are you sending funny packets? <DR> Any number of reasons... like I have a compromised host <DR> and I'm watching what it does before shutting it down... There's no point to what you have just said. When you find a machine has been rooted, unplug it from the network and commence forensic analysis. Knowingly allowing it to attack other networks is foolhardy at best. <DH> So you have a compromised host attacking sites, you know about it, and <DH> you're allowing it to continue. Whoops it just defaced a federal <DH> government site, and now it has your ip address all over it... <DH> I don't think i'd want to open myself to that kind of liability... <DH> When we catch compromised hosts, we cut their balls off instantly. <DR> Or maybe the packets don't look funny to me :-). <DR> Or perhaps the packets were so funny I thought I'd share. ;-) <DR> Humor is often in the eye of the beholder :-). <DH> Military networks arent well known for their sense of humor, and neither <DH> are federal interest sites... Neither are network operators whose networks are constantly under attack. This kind of thing loses its novelty the first time one of your machines is rooted and has to be wiped and rebuilt. Whether or not it's amusing to you is immaterial. If the person being scanned does not find it so, scans should cease, period. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui