RBL-type BGP service for known rogue networks?
Is there any RBL-type BGP service for blackholing known rogue networks? Eg, networks which harbor script kiddies and refuse to take any action when notified of ongoing attacks? For instance the network tin.it (194.243.154.0 - 194.243.155.255) appears to be rogue. -Dan
On Thu, 6 Jul 2000, Dan Hollis wrote:
Is there any RBL-type BGP service for blackholing known rogue networks? Eg, networks which harbor script kiddies and refuse to take any action when notified of ongoing attacks?
I am not currently aware of one, but at least we [have] placed considerable thought on providing it as an optional service for some customers, especially the co-located servers. Having been involved with some 'We are the good guys, and we only try to help you.' abuse projects in the past, I'd say it just isn't worth it. Addresses bounce, people have no clue how they could help you, some *do* threaten you with lawsuits, the list goes on... and yes, it's very time-consuming. I think somebody already put it nicely - there's a certain balance. All the sites offering the material, all the dialup- spools they could access and all the networks with insecure (individual) boxes. You take all of them out and there wouldn't be many providers left. You don't? Well, good bye filter-efficiency. A very simple reason for seeing numerous scans all from the same provider could be just the fact they are big. Very few of us can probably claim to know all the major foreign providers working in the cable/adsl/dialup-business. For example tin.it - it's actually Telecom Italia. Blocking the whole of it would be quite hilarious. BT next? % host -l -a tin.it|wc -l # i know, this doesn't prove anything. 156458 % Perhaps they offer free dialups. *shiver* Anyway, even if they were as friendly as ever, I doubt they could do much. Personally I can't even remember their hostnames popping up in (m)any of our log-analyzers. Very rarely do I recall seeing any clear patterns in the IPs reported - the individual IPs do get firewalled automatically here, for 48 (or 24) hours, as soon as they turn up on the few decoys we have up. As for abuse in general - Better not forget the tens of thousands of open proxies on the net. Connection to port 1080 (SOCKS) and tadah, free relays. I'd rather waste my energy on dealing with law-enforcement to actually get the baddies punished and castrated. Or, alternatively, just hiring more people to take care of your network/co-lo security. Worth it.
-Dan
-- Ville(viha\@cryptlink.net, 'Cryptlink Networking'); // Information-Security Coordination && IPv6 Solutions
On Fri, 7 Jul 2000, Ville wrote:
Perhaps they offer free dialups. *shiver* Anyway, even if they were as friendly as ever, I doubt they could do much.
Right now they arent doing ANYTHING. Their customers root and root and root, they dont do a damned thing. At least uunet psi etc shut down accounts when notified of abuse. But, this is looking like the big RBL debate all over again. Those who see value in it will subscribe to it, those who dont see value in it wont subscribe. All the debating in the world wont change peoples minds. Those who are interested, contact me in private email. Its obvious nanog is the wrong forum for this. -Dan
participants (2)
-
Dan Hollis
-
Ville