Re: RBL-type BGP service for known rogue networks?
On Thu, 6 Jul 2000 Valdis.Kletnieks@vt.edu wrote:
On Thu, 06 Jul 2000 12:22:09 PDT, Dan Hollis said:
Im not talking about spammer networks im talking about script kiddie networks. We already have several systems for dealing with spammers but none for script kiddies. (I cant be the only person who sees a problem with this picture?)
The biggest problem is that it's a lot easier to verify that a given site is a spamhaus. Remember that source IP addresses (which is all that your border router sees) are forgeable - making for a nice DOS attack. Forge packets from a competitor's site, get them labelled as a skriptz kiddie site, and BGP-blackholed.
DoS attacks with possible spoofed source addresses would obviously not be a good criteria to blackhole by... Unauthorized mass vunerability scans on the other hand, COULD be. You'd have to make sure that it wasn't just a spoofed SYN flood designed to look like a scan, and that there were actual successfully opened sockets (this is assuming TCP scans). For certain things this pretty much entails setting up a "bait" server, perhaps binding a range of IPs on it, to look for at least the "obvious" scans. I suspect not as many people as you would think are qualified to setup and accurately use this kind of system (the number of stupid and paranoid people who will complain about innocent behavior is almost as high as the number of stupid and unconcerned people out there who will be compromised). -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Thu, 06 Jul 2000 16:02:19 EDT, "Richard A. Steenbergen" said:
binding a range of IPs on it, to look for at least the "obvious" scans. I suspect not as many people as you would think are qualified to setup and accurately use this kind of system (the number of stupid and paranoid people who will complain about innocent behavior is almost as high as the number of stupid and unconcerned people out there who will be compromised).
Oh, I'm quite aware of how shallow the talent pool out there is - hell, if I got asked to review the SANS ddos roadmap white paper and top-ten list, there can't be THAT much kloo out there. ;) I get enough complaints from ZoneAlarm users who think that our NTP servers are scanning their ports 13, 37, and 137... ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Thu, 6 Jul 2000, Richard A. Steenbergen wrote:
DoS attacks with possible spoofed source addresses would obviously not be a good criteria to blackhole by... Unauthorized mass vunerability scans on the other hand, COULD be.
The criteria for the blackhole list: 1) Someone sets up server X on company Y network and starts rooting sites. 2) company Y, once notified, refuses to shut down server X, even when its been CONFIRMED server X is indeed rooting sites. 3) company Y has a HISTORY of such attacks and refuses to take any action. tin.it obviously fits all 3 criteria and thus would be blackholed. it might not get them to change their behaviour, but at least people who subscribe to the blackhole list wouldnt be rooted by tin.it customers -Dan
On Thu, 6 Jul 2000, Dan Hollis wrote:
1) Someone sets up server X on company Y network and starts rooting sites. 2) company Y, once notified, refuses to shut down server X, even when its been CONFIRMED server X is indeed rooting sites. 3) company Y has a HISTORY of such attacks and refuses to take any action.
tin.it obviously fits all 3 criteria and thus would be blackholed. it might not get them to change their behaviour, but at least people who subscribe to the blackhole list wouldnt be rooted by tin.it customers
Except that any good script kid has root on numerous boxes. Just blocking a well known site full of rooted boxes probably won't do much good since they crack and scan from random boxes all over the world as they root them. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Thu, 6 Jul 2000 jlewis@lewis.org wrote:
Except that any good script kid has root on numerous boxes. Just blocking a well known site full of rooted boxes probably won't do much good since they crack and scan from random boxes all over the world as they root them.
Youre arguing for shutting down RSS and RBL then -Dan
participants (4)
-
Dan Hollis
-
jlewis@lewis.org
-
Richard A. Steenbergen
-
Valdis.Kletnieks@vt.edu