[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sat Aug 26 16:23:43 GMT 2006

On Sat, 26 Aug 2006 10:28:30 EDT, Kenneth Coney said:

> input had to be checked for a block.   A different approach I would like 
> to see some one market as a firewall for stand alone computers is as 
> follows.  There are a total of 9 ISPs containing maybe a total of 12 
> IPNs which I actually need to maintain communication with business 
> wise.

[0:0] -A tcp-in -m state --state ESTABLISHED,RELATED -j ACCEPT
[0:0] -A tcp-in -p tcp -s -j ACCEPT
[0:0] -A tcp-in -p tcp -s -j ACCEPT
# Add your other 7 -J accept rules here.
[0:0] -A tcp-in -j DROP

Done.  Pay careful attention to that first rule - that means "if *we*
go to visit *them*, their return packets are OK" - this lets you say
"Oh, I want to check www.cnn.com real quick" without having to whitelist them.

This is an iptables example, but I think all the current decent host firewalls
can be set up similarly (inability to do so, in fact, should be considered a
fatal flaw these days).

This is the opposite of Marcus's "Enumerate Badness", and how things *should*
be done if it's easy to enumerate the sites you should be hearing from.

> Would it violate RFCs, probably, but when was the last time someone 
> asked for our signature of approval on one of those?

If you're worried about RFC compliance, do this instead:

[0:0] -A tcp-in -p tcp --syn -j REJECT --reject-with tcp-reset
[0:0] -A udp-in -p udp -j REJECT --reject-with icmp-port-unreachable

But a lot of security experts (myself included) think that being totally
silent in response to undesired traffic outweighs strict RFC compliance.

Remember - the RFCs are written so that two consenting hosts can communicate.
If one isn't consenting, the RFC's don't apply.  But be nice and don't send
back non-RFC-compliant traffic that gives other machines indigestion. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.dshield.org/pipermail/list/attachments/20060826/1ced5c3b/attachment.bin 

More information about the list mailing list