[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])
Tomas L. Byrnes
tomb at byrneit.net
Fri Aug 25 21:43:39 GMT 2006
I think, since the person who would be publishing the NR list is
Johannes, the appropriate filters would be in place.
Since Fightback is correlated to logs, the "silent fix" part is fairly
easy to see: the attacking IP stops showing up in the submitted logs.
I would agree, some sort of delay would be in order, but if a fightback
message BOUNCES, for example, then blocking and notifying
IANA/RIPE/APNIC is in order. It is a requirement that the contact info
for a network be accurate, monitored, and updated, otherwise the CIDR is
subject to forfeiture and reissue.
This brings up the usual issues with black lists of aging, verification,
etc., but these are all manageable.
It's a tradeoff, as are all things in security, and, as I said in the
other post I just sent, it's a matter of providing the information. It's
up to the individual network operator to decide what to do.
As far as ISPs being the participants, I don't see how the service
provider is a necessary component here. Presumably each subscriber has
their own firewall, which they can write their own DENY rules on.
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of John Dietz
Sent: Friday, August 25, 2006 1:04 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Idea for dealing with ISPs that ignore
abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd:
WHY IS YOURCUSTOMER...])
In theory, this would be great, but how many ISPs would actually
participate in a program like this that could potentially drastically
limit the number of sites their paying customers could visit? Not to
mention just who is going to manage all of this to make sure that no net
blocks accidentally get added to this list? As Johannes mentioned
"- Do not expect a response. In many countries, privacy laws will not
allow the ISP to confirm any action taken."
What if they are handling the problem silently as their name is being
added to the list? Their traffic would be blocked by your filter and
you would never know that they actually responded and fixed the problem.
I do like the concept of your idea, but I highly doubt it would be
Just my $0.02
On 8/25/06, Tomas L. Byrnes <tomb at byrneit.net> wrote:
> One way to change those economics is if we all were to block ALL
> traffic from the CIDRs of non-responsive Abuse aliases.
> Perhaps DShield could post a list of CIDRs managed by RPs that don't
> respond to fightback.
> That changes the equation, at least for fightback, drastically:
> "Do something about these reports, or we will publish your IP
> addresses to a list that is used worldwide to block traffic".
> If they don't respond to messages from DSHIELD/SANS, and/or keep their
> RP contact alias up to date, they're not good netizens, and deserve to
> be cast into the outer darkness.
There is intelligence is in having all the answers, but wisdom lies in
knowing which of the questions to answer.
SANS Network Security 2006 - Las Vegas NV October 1st-9th.
Wide selection of 1-6 Day Courses. Top Instructors!
Details: isc.sans.org/clickcount.php?ad=1 (use Brochurcode "ISC")
"Best IT Security return on Investment" (Mario Chiock, Schlumberger)
More information about the list