On Thu, 6 Jul 2000, Dan Hollis wrote:
On Thu, 6 Jul 2000, Tony Mumm wrote:
I think that is similar to what you want....and it might be adequate against scanners and other simple hacks. I don't think it would be worth anything against a flood,
The BL wouldnt try to block floods or DoS attacks. Its aim is to block sites which originate breakins.
"Script kiddie" sites come in 3 flavors, the script kiddies themselves (dialups or cable modems for the 14 year olds), the "helper sites" aka the sites run by those who are friends of the SKs or associated with them (usually machines on college dorm ethernets or some 18 year old's "linux shell server" business project), and the compromised sites from which attacks are launched. You'd probably have more luck just reporting the security breaches on the hacked machines, I don't know too many places that will take NO action against them assuming you can actually contact them (which can sometimes be extremely difficult to do). Getting the dialups will not be possible with this kind of a system, DHCP makes it useless, and even sites with static addresses like most cable modems will probably not be pollitically possible. Sometimes its difficult to form a proven association between the people behind the mischief and the mischief itself, because after they lose one or two accounts they generally catch on and try not to do it from their direct connections, but its possible. The "helper sites" are questionable as well, I don't see this being viable against university connections, and as for the "helper /24s" these are almost always some 18 year old's attempt at a small business by colo'ing a Linux server at some provider, paying a few hundred for a small connection, etc. Most of these places receive as many attacks as they generate (if any), and quickly get tossed by their providers. I can think of very few actual networks who are entirely uncooperative regarding proveable issues, certainly not enough to make any kind of impact in the grand scheme of things IMHO. While spam has an economic motivation which can draw semi-legit networks into "bad" activities, SK stuff generally does not. I think these are the reasons such a blackhole list has never been done. An unresponsive smurf amplifier blackhole list on the other hand, might be useful... but probably wouldn't have a huge impact either these days... -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
"Richard A. Steenbergen" wrote:
Getting the dialups will not be possible with this kind of a system, DHCP makes it useless
Maybe yes, maybe no. If the ISP's dialups keep log files of connections and disconnections (and I hope that most of them do, for at least a few days), they should be able to correlate an IP address and timestamp with a login. It is useful if you have your own logfiles to send in as part of the report - so they will have the IP addresses and timestamps. Without knowing the time of the attack, they won't be able to figure out which user had the IP address during the time of the attack. Be sure to keep your clock synchronized with reality so that your timestamps are meaningful. The real hard part here is getting the ISP to do the search in the first place. But that's politics, not technology. -- David
participants (2)
-
David Charlap
-
Richard A. Steenbergen