North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RBL-type BGP service for known rogue networks?

  • From: Ville
  • Date: Fri Jul 07 00:18:54 2000

On Thu, 6 Jul 2000, Dan Hollis wrote:

> Is there any RBL-type BGP service for blackholing known rogue networks?
> Eg, networks which harbor script kiddies and refuse to take any action
> when notified of ongoing attacks?

I am not currently aware  of one, but at least we [have] placed
considerable thought on providing it as an optional service for
some customers, especially the co-located servers.

Having been  involved with  some  'We are the good guys, and we
only try to  help you.'  abuse projects in the past, I'd say it
just isn't worth it. Addresses bounce, people have  no clue how
they could help you, some *do* threaten you  with lawsuits, the
list goes on... and yes, it's very time-consuming.

I think somebody  already  put it  nicely - there's  a  certain
balance.  All the  sites offering the material, all the dialup-
spools they  could access and all  the networks  with  insecure
(individual) boxes. You take all of them out and there wouldn't
be many providers left.

You don't? Well, good bye filter-efficiency.

A very simple  reason for seeing  numerous  scans all  from the
same provider could be just the fact they are big.  Very few of
us can probably  claim to know all the major  foreign providers
working in the cable/adsl/dialup-business.

For example tin.it - it's actually Telecom Italia. Blocking the
whole of it would be quite hilarious. BT next?

% host -l -a tin.it|wc -l # i know, this doesn't prove anything.
 156458
%

Perhaps they offer free dialups. *shiver*  Anyway, even if they
were as friendly as ever, I doubt they could do much.

Personally I can't even  remember their hostnames popping up in
(m)any of our log-analyzers. Very rarely do I recall seeing any
clear patterns in the IPs reported - the individual  IPs do get
firewalled automatically here, for 48 (or 24) hours, as soon as
they turn up on the few decoys we have up.

As for abuse in general -

Better not forget the  tens of thousands of open proxies on the
net. Connection to port 1080 (SOCKS) and tadah, free relays.

I'd rather waste  my energy on dealing  with law-enforcement to
actually get the baddies punished and castrated.

Or, alternatively, just hiring more people to take care of your
network/co-lo security. Worth it.


> -Dan

-- 
	Ville(viha\@cryptlink.net, 'Cryptlink Networking');

	// Information-Security Coordination && IPv6 Solutions