|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: RBL-type BGP service for known rogue networks?
On Thu, 6 Jul 2000 [email protected] wrote: > On Thu, 06 Jul 2000 12:22:09 PDT, Dan Hollis said: > > Im not talking about spammer networks im talking about script kiddie > > networks. We already have several systems for dealing with spammers but > > none for script kiddies. (I cant be the only person who sees a problem > > with this picture?) > > The biggest problem is that it's a lot easier to verify that a given site > is a spamhaus. Remember that source IP addresses (which is all that your > border router sees) are forgeable - making for a nice DOS attack. Forge > packets from a competitor's site, get them labelled as a skriptz kiddie site, > and BGP-blackholed. DoS attacks with possible spoofed source addresses would obviously not be a good criteria to blackhole by... Unauthorized mass vunerability scans on the other hand, COULD be. You'd have to make sure that it wasn't just a spoofed SYN flood designed to look like a scan, and that there were actual successfully opened sockets (this is assuming TCP scans). For certain things this pretty much entails setting up a "bait" server, perhaps binding a range of IPs on it, to look for at least the "obvious" scans. I suspect not as many people as you would think are qualified to setup and accurately use this kind of system (the number of stupid and paranoid people who will complain about innocent behavior is almost as high as the number of stupid and unconcerned people out there who will be compromised). -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|