RE: RBL-type BGP service for known rogue networks?
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?)
What I was saying is that they had already set up some type of blackhole system that I was lead to believe they were doing at the router level (not mail system level). When they had us blackhole, we couldn't get past their core routers. I know your next thougt is that they just threw us into their route filter, but my understanding is that they offered a service that you subscribed to and the updated the filter on the fly. Which sounds like it would work for what you may be looking for in the "kiddie script network" scenario (which I assume means either IRC crapola or DOS crapola in general) or those wonderful .ru sites serving out that hardcore kiddie porn stuff via cgi calls. -----Original Message----- From: Mark Borchers [mailto:mborchers@splitrock.net] Sent: Thursday, July 06, 2000 12:30 PM To: 'nanog@merit.edu' Subject: RE: RBL-type BGP service for known rogue networks? The picture of a script-kiddie-tolerant network eludes me. Do you have data to show that they are NOT evenly dispersed around the Internet?
-----Original Message----- From: Dan Hollis [mailto:goemon@sasami.anime.net] Sent: Thursday, July 06, 2000 2:22 PM To: Karyn Ulriksen Cc: 'nanog@merit.edu' Subject: RE: RBL-type BGP service for known rogue networks?
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?)
-Dan
Karyn Ulriksen wrote:
What I was saying is that they had already set up some type of blackhole system that I was lead to believe they were doing at the router level (not mail system level). When they had us blackhole, we couldn't get past their core routers. I know your next thougt is that they just threw us into their route filter, but my understanding is that they offered a service that you subscribed to and the updated the filter on the fly. Which sounds like it would work for what you may be looking for in the "kiddie script network" scenario (which I assume means either IRC crapola or DOS crapola in general) or those wonderful .ru sites serving out that hardcore kiddie porn stuff via cgi calls.
You can play tricks with BGP to do this. Here's how MAPS RBL does it, and how you can use it: http://www.mail-abuse.org/rbl/usage.html#BGP Mark -- Do not reply directly to this e-mail address -- Mark Mentovai UNIX Engineer Gillette Global Network
Karyn Ulriksen wrote:
What I was saying is that they had already set up some type of blackhole system that I was lead to believe they were doing at the router level (not mail system level). When they had us blackhole, we couldn't get past their core routers. I know your next thougt is that they just threw us into their route filter, but my understanding is that they offered a service that you subscribed to and the updated the filter on the fly.
I don't know if this what you were observing, but the MAPS RBL can be used in this capacity. See also: http://www.mail-abuse.org/rbl/usage.html#BGP Of course, you'd want a different database for blocking script kiddies. -- David
David Charlap <david.charlap@marconi.com> wrote
I don't know if this what you were observing, but the MAPS RBL can be used in this capacity. See also:
http://www.mail-abuse.org/rbl/usage.html#BGP
Of course, you'd want a different database for blocking script kiddies.
-- David
I think that is similar to what you want....and it might be adequate against scanners and other simple hacks. I don't think it would be worth anything against a flood, the flood isn't going to care that it sees nothing coming back from your network. It might discourage someone if they see no ECHO_REPLYs coming back from their 10 Mbit smurf....but it probably wouldn't be long before they just stop caring. Tony
On Thu, 6 Jul 2000, Tony Mumm wrote:
I think that is similar to what you want....and it might be adequate against scanners and other simple hacks. I don't think it would be worth anything against a flood,
The BL wouldnt try to block floods or DoS attacks. Its aim is to block sites which originate breakins. -Dan
Dan Hollis wrote:
The BL wouldnt try to block floods or DoS attacks. Its aim is to block sites which originate breakins.
If break-ins is what you're trying to avoid, a blacklist would be a terrible idea. The proper way to prevent break-ins is not to block communications with certain sites, but to fix broken software and poorly configured systems so that any break-in attempts will be unsuccessful. A blacklist would only encourage your would-be attacker to employ additional intermediaries, thereby potentially causing more damage for more people while making the ultimate source more difficult to trace. It would also give operators a false sense of security, an attitude which could lead to thoughtless setups acting as havens for the very break-ins your proposed blacklist is intended to combat. Mark -- Do not reply directly to this e-mail address -- Mark Mentovai UNIX Engineer Gillette Global Network
On Thu, Jul 06, 2000 at 07:35:19PM -0400, Mark Mentovai wrote:
If break-ins is what you're trying to avoid, a blacklist would be a terrible idea. The proper way to prevent break-ins is not to block communications with certain sites, but to fix broken software and poorly configured systems so that any break-in attempts will be unsuccessful. A blacklist would only encourage your would-be attacker to employ additional intermediaries, thereby potentially causing more damage for more people while making the ultimate source more difficult to trace.
If your attacker is somebody who decided he wanted in your site no matter what, and is engaged in a concerted attack on specifically you, that might be true. If your attacker is Joe Random Script Kiddie, who spotted you running Vulnerability Of the Week and is trying the few exploits he could get to compile, you're wrong. The most effective anti-hacking measure I ever undertook was blocking the entire .kr domain in hosts.deny. It cut attempts by more than 50%. (Before anybody jumps on me, the network in question had no users with a legitimate need to connect from Korea, and your mileage almost assuredly varies.)
On Thu, Jul 06, 2000 at 04:07:07PM -0500, Tony Mumm wrote:
I think that is similar to what you want....and it might be adequate against scanners and other simple hacks. I don't think it would be worth anything against a flood, the flood isn't going to care that it sees nothing coming back from your network. It might discourage someone if they see no ECHO_REPLYs coming back from their 10 Mbit smurf....but it probably wouldn't be long before they just stop caring.
The idea would be to throw away the valid packets so that their real customers complained. -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 340% tax? http://www.boycott-the-pumps.com/
On Thu, 06 Jul 2000 15:48:03 PDT, John Payne <john@sackheads.org> said:
The idea would be to throw away the valid packets so that their real customers complained.
Either the site is run by the kiddies, so they ARE the real customers and won't care, or they're infested with kiddies in which case they're probably clueless enough that customer complaints won't change anything.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Thu, 6 Jul 2000 Valdis.Kletnieks@vt.edu wrote:
On Thu, 06 Jul 2000 15:48:03 PDT, John Payne <john@sackheads.org> said:
The idea would be to throw away the valid packets so that their real customers complained. Either the site is run by the kiddies, so they ARE the real customers and won't care, or they're infested with kiddies in which case they're probably clueless enough that customer complaints won't change anything....
Or they are just complacent and require customer complaints to get them actually take action (RBL RSS etc works wonders) -Dan
On Thu, 6 Jul 2000, Dan Hollis wrote: [...]
Or they are just complacent and require customer complaints to get them actually take action (RBL RSS etc works wonders)
Do you have any plan to implement a kiddie blackhole system, or is all this an extended squeak? -- Christopher Palmer : Random Coding Guy : bitstream.net
On Fri, Jul 07, 2000 at 12:12:54PM -0500, Christopher Palmer wrote:
Or they are just complacent and require customer complaints to get them actually take action (RBL RSS etc works wonders)
Do you have any plan to implement a kiddie blackhole system, or is all this an extended squeak?
If y'all do, Dan Bernstein has a lovely tool for doing just that as part of his djbdns package. I believe it's called rbldns or something similar. Ummm... Yeah. Here's a link: http://cr.yp.to/djbdns/rbldns.html Ben -- The spectre of a polity controlled by the fads and whims of voters who actually believe that there are significant differences between Bud Lite and Miller Lite, and who think that professional wrestling is for real, is naturally alarming to people who don't. -- Neal Stephenson
On Fri, 7 Jul 2000, Christopher Palmer wrote:
Or they are just complacent and require customer complaints to get them actually take action (RBL RSS etc works wonders) Do you have any plan to implement a kiddie blackhole system, or is all
On Thu, 6 Jul 2000, Dan Hollis wrote: [...] this an extended squeak?
Im discussing it offlist with interested parties right now. -Dan
On Thu, Jul 06, 2000 at 05:10:19PM -0700, Dan Hollis wrote:
On Thu, 6 Jul 2000, John Payne wrote:
The idea would be to throw away the valid packets so that their real customers complained.
This is exactly why RSS and RBL work.
And UDPs. Collaterol damage works wonders. -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 340% tax? http://www.boycott-the-pumps.com/
On Thu, 6 Jul 2000, Tony Mumm wrote:
David Charlap <david.charlap@marconi.com> wrote
I don't know if this what you were observing, but the MAPS RBL can be used in this capacity. See also:
http://www.mail-abuse.org/rbl/usage.html#BGP
Of course, you'd want a different database for blocking script kiddies.
-- David
I think that is similar to what you want....and it might be adequate against scanners and other simple hacks. I don't think it would be worth anything against a flood, the flood isn't going to care that it sees nothing coming back from your network. It might discourage someone if they see no ECHO_REPLYs coming back from their 10 Mbit smurf....but it probably wouldn't be long before they just stop caring.
Technically, no one would see ECHO_REPLYs coming back from any type of smurf, no matter the size. It's just the nature of the beast. My personal belief is that blocking people who port scan is a silly thing. At least, according to federal law, port scanning isn't illegal. Your state might have loosely worded statutes that cover it, but that's another matter. Also, it's possible to forge every type of stealth scan known to man, because the scan is really only one packet with different TCP options set. No three-way handshake, and therefore no real proof. The only scan that shouldn't be possible to spoof (how secure are you TCP sequence numbers?) is a TCP connect scan. Of course, this is all moot if you're talking about vulnerability scanners that just churn through IP space, and in that case, please feel free to ignore me. I'm beginning to take a liking to Marcus Ranum's idea of taking these matters into civil court. He joked at USENIX that he'd probably make a killing if he just did referrals to high-paid lawyers for people looking to take script kiddies and their parents to court. It's really not that hard to track these kids down, thanks to their IRC usage. I had tracked mosthateD down to his street address before he was raided. Of course, it was somewhat personal, and he lived not too far from where I grew up. Also, in his case, it's probably worth noting that there probably wasn't much to get from him or his mother in court, even if she did go out and buy him another computer the day after he got raided and praised him for being "so smart" on 20/20. Smart people don't generally deface web pages, or get caught. skript kiddie crackers are only a threat because enough of them haven't been hit with a sufficiently large physical or monetary lart. let the larting beging. __ joseph w. shaw sr. security specialist some company that isn't associated with this account
participants (11)
-
Ben Beuchler -
Christopher Palmer -
Dan Hollis -
David Charlap -
Joe Shaw -
John Payne -
Karyn Ulriksen -
Mark Mentovai -
Shawn McMahon -
Tony Mumm -
Valdis.Kletnieks@vt.edu