[Dshield] Re.: Hacker Blocks

Johannes B. Ullrich jullrich at sans.org
Mon Mar 11 23:42:23 GMT 2002

Hash: SHA1

   I did put together a list a few months back, but haven't updated
it lately (http://feeds.dshield.org/block.txt... may not be up
right now as it is kind of out of date).

   It realy comes don't to overall good security practices:

- - For your network, the multitude of nimda scans are not the 
  thread, but the single detemined hacker or the latest new 
  worm for which you haven't patched yet.
- - The more narrow you can define your user groups, the better
  you can limit access. Overall, you should not block a network
  because you suspect it is full of crackers, but you should
  block a network because you do not expect legitamate access
  from it.

> Previous messages received from dshield.org by the RIPE NCC
>  have either been errors on dshield.org's side, or errors in
>   the RIPE database. In all 8 such cases, the problem was
>   responded and dealt with by RIPE NCC staff, with no further
>   response from dshield.org received.

  We use the whois databases (arin, apnic, ripe, kornet, twnic...)
as our primary source for contact addresses. Replies to these
messages are automatically prefiltered (bounces, autoreplies). 
Corrections are made as we receive them. I usually try to send
back a quick response (8 cases is actually less than I 
expected. We send > 1000 emails each day)

  My dream is to have a great authorative contact database that
would get me to a network admin based on IP address. I know
that the registrars are fighting hard to keep their databases
up to date and correct. But on the other hand, spammers regularly
harvest these databases and it is hard for the registrars to
balance privacy and the need for a contact.

  In no way are IP registrars responsible for the use of the
IP space they administer. They only act as a 'book keeper'. It
is up to the respective ISPs to act responsibly.  

  Anyway... its a difficult subject and always makes for a
good flame war.

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the list mailing list