North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: On-going Internet Emergency and Domain Names (kill this thread)

  • From: J. Oquendo
  • Date: Sun Apr 01 10:04:52 2007

On Sun, 1 Apr 2007, Mikael Abrahamsson wrote:

> If ISPs cannot be forced into running a 24/7/365 response function,
> I don't see the registry/registrars doing it.

Maybe if a body with the proper authority to penalize the ISP's were
in order this wouldn't be an issue. Look at BGP dampening and route
flaps for instance, something goes awry, the router is penalized.
A quick check, all goes well, if not, an added penalty is given.
Perhaps if some of these business were forced to get their acts in
order, many of these issues would not be occurring.

> Solving this at the DNS level is just silly, if you want to solve
> it it either you get to the core (block IP access, perhaps by BGP
> blacklisting) or go to level 8, ie the human level, and get these
> infected machines off the net permanently.

Solving this at the DNS issue is a better idea than having to hope
that - by contacting someone clueful on level 8 - they'll 1) even
understand what you mean, 2) understand how to address the issue.

If you meant contacting the owner of the infected machine good luck.
If you meant contacting the provider of the owner of the ISP, even
better luck.

Its far easier to accomplish some form of DNS filtering to block out
infected machines, and even servers propagating infections.

I've contacted who knows how many administrators of infections on
their networks. Typically the response is "Contact our abuse team."
Which is understandable being someone wants to keep in tune with
policy, but heck some of these companies' policies are more of a
facade if you ask me. Within the next month, I will be posting the
networks, contacts, etc., of the dirtiest brute force pushing
networks I've seen. If needed, I will re-post some of the absurd
responses I've seen like one from NASA... And no its no April
Fools joke... So a NASA address is brute forcing a machine of
mine... I contact the admin listed on a whois and it gets sent
to a CISSP gentleman... His response "We were doing some pen
testing on our networks..."

What? They were pentesting on their network yet I managed to get
hit up in the mix. Right... Its not like the network connecting
to mines was typed in accidentally, my network was in the 208.x.x.x
range, theirs... Not even close.

> So Gadi, to accomplish what you want you need to propose to the
> ISPs all over the net that what you're trying to do is so
> important that some entity publishing a realtime blacklist is
> important enough that all major ISPs should subscribe to a BGP
> blackhole list from there. Also that this is important enough to
> seriously violate the distributed structure of the net today that
> has made it into the raging success it is today. It's not
> perfect, but it works, and it doesn't have a single point of
> failure.

Single point of failure? I'm sure many can point out multiple
points of failures. One thing I've been doing with my brute forcer
blacklist (if you want to call it this) is blocking entire net
blocks from accessing attacked machines. When admins contact me
wondering why their clients cannot connect, the answer is simple
for me. After a quick lookup of the bruteforcer list, I simply
tell them that one(or many) hosts on their network have been
ssh brute forcing some of my servers. Therefore their ENTIRE
range was blocked. Quite frankly, I don't care if I have to
block up to /6's (I've got one or two of APNIC's), I will do
whatever it takes to make sure my networks stay clean and
secure.

> ... and people have very bad experiences from blacklists
> not being maintained properly.

Funny you should mention... Nothing in this world has ever
from the onset been a perfect invention/creation. Does this
mean that if one implementation failed, the entire design
is flawed.


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey