[Dshield] An Abuse-Free internet organzation

Erwin Van de Velde erwin.vandevelde at ua.ac.be
Tue Jan 20 16:28:19 GMT 2004


> But Erwin, when a vast amount of the attacks/probes to my server comes from
> Verizon and reporting things to them gets absolutely no response ? And they
> are not the only big name that chooses to not respond... Where does that
> leave us ?

You could block some IP addresses (I'm even writing my master thesis about a 
system that could do that :-) ), but excluding entire IP address ranges seems 
a bit harsh to me. It should be clear too, that for blocking IP's a soft 
state is needed: lots of ISP's use DHCP, so the address of an attacker can 
change (and a 'good client' could get the attackers IP the following day).
It's true that you're safe when you block all external IP's, but what about 
the service you're offering then?

You have to find the middle between doing nothing and just blocking everything 
that could be a little suspicious.

And I haven't spoken of spoofing yet... Could you imagine the following? A 
competing ISP X spoofs some attacks with source IP's in the range of another 
ISP Y. This would lead to addresses of Y being blocked on your system, and 
all angry clients of Y would go to X. Perhaps a little imaginative, but it 
would not be the first time that ISP's try to tackle each other...

Spoofing could happen too when you block single IP addresses locally, but the 
impact would be a lot smaller (and you have to do something if you're being 
attacked...).

Greetings,
Erwin Van de Velde
Student of University of Antwerp
Belgium




More information about the list mailing list