[Dshield] Re.: Hacker Blocks
Johannes B. Ullrich
jullrich at sans.org
Mon Mar 11 23:42:23 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
I did put together a list a few months back, but haven't updated
it lately (http://feeds.dshield.org/block.txt... may not be up
right now as it is kind of out of date).
It realy comes don't to overall good security practices:
- - For your network, the multitude of nimda scans are not the
thread, but the single detemined hacker or the latest new
worm for which you haven't patched yet.
- - The more narrow you can define your user groups, the better
you can limit access. Overall, you should not block a network
because you suspect it is full of crackers, but you should
block a network because you do not expect legitamate access
> Previous messages received from dshield.org by the RIPE NCC
> have either been errors on dshield.org's side, or errors in
> the RIPE database. In all 8 such cases, the problem was
> responded and dealt with by RIPE NCC staff, with no further
> response from dshield.org received.
We use the whois databases (arin, apnic, ripe, kornet, twnic...)
as our primary source for contact addresses. Replies to these
messages are automatically prefiltered (bounces, autoreplies).
Corrections are made as we receive them. I usually try to send
back a quick response (8 cases is actually less than I
expected. We send > 1000 emails each day)
My dream is to have a great authorative contact database that
would get me to a network admin based on IP address. I know
that the registrars are fighting hard to keep their databases
up to date and correct. But on the other hand, spammers regularly
harvest these databases and it is hard for the registrars to
balance privacy and the need for a contact.
In no way are IP registrars responsible for the use of the
IP space they administer. They only act as a 'book keeper'. It
is up to the respective ISPs to act responsibly.
Anyway... its a difficult subject and always makes for a
good flame war.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list