North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RBL-type BGP service for known rogue networks?

  • From: Richard A. Steenbergen
  • Date: Thu Jul 06 21:42:06 2000

On Thu, 6 Jul 2000, Dan Hollis wrote:

>
> On Thu, 6 Jul 2000, Tony Mumm wrote:
> > I think that is similar to what you want....and it might be adequate
> > against scanners and other simple hacks.   I don't think it would be  
> > worth anything against a flood,
>
> The BL wouldnt try to block floods or DoS attacks. Its aim is to block
> sites which originate breakins.

"Script kiddie" sites come in 3 flavors, the script kiddies themselves
(dialups or cable modems for the 14 year olds), the "helper sites" aka the
sites run by those who are friends of the SKs or associated with them
(usually machines on college dorm ethernets or some 18 year old's "linux   
shell server" business project), and the compromised sites from which 
attacks are launched.

You'd probably have more luck just reporting the security breaches on the
hacked machines, I don't know too many places that will take NO action
against them assuming you can actually contact them (which can sometimes
be extremely difficult to do).
 
Getting the dialups will not be possible with this kind of a system, DHCP
makes it useless, and even sites with static addresses like most cable
modems will probably not be pollitically possible. Sometimes its difficult
to form a proven association between the people behind the mischief and
the mischief itself, because after they lose one or two accounts they
generally catch on and try not to do it from their direct connections, but
its possible.

The "helper sites" are questionable as well, I don't see this being viable
against university connections, and as for the "helper /24s" these are
almost always some 18 year old's attempt at a small business by colo'ing a
Linux server at some provider, paying a few hundred for a small
connection, etc. Most of these places receive as many attacks as they
generate (if any), and quickly get tossed by their providers.

I can think of very few actual networks who are entirely uncooperative
regarding proveable issues, certainly not enough to make any kind of
impact in the grand scheme of things IMHO. While spam has an economic
motivation which can draw semi-legit networks into "bad" activities, SK
stuff generally does not. I think these are the reasons such a blackhole
list has never been done. An unresponsive smurf amplifier blackhole list
on the other hand, might be useful... but probably wouldn't have a huge
impact either these days...

-- 
Richard A Steenbergen <[email protected]>   http://www.e-gerbil.net/humble
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)