[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])
Tomas L. Byrnes
tomb at byrneit.net
Sat Aug 26 16:08:00 GMT 2006
Administering and propagating IP black and whitelists, especially
dynamic ones, is a chore, but there are ways to automate that. I'm
actually working on one that doesn't require special software on the
client side, and has generic utility, right now. Stay tuned.
As far as the aging problem goes: Assuming that fightback continues to
send requests when submitted logs contain attacks from an IPN, getting
the RP from WHOIS, and simply publishes those that were NR in the time
period 24-48 hours ago, once the contact info is updated, if they have a
functioning abuse alias, they won't show up on the list any more.
Think of it as a similar way to generate the lists as the DSHIELD top
attackers lists: it's a real time publication of who has been attacking
in the last day. If an IPN stops being an attacker, it will drop off the
lists, if an abuse handle starts to respond, it would drop off the NR
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Kenneth Coney
Sent: Saturday, August 26, 2006 7:29 AM
To: list at lists.dshield.org
Subject: Re: [Dshield] Idea for dealing with ISPs that ignore
abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd:
WHY IS YOURCUSTOMER...])
I went through the block anything coming from IPNs from China, Brazil,
Korea, etc. thing years ago. Started writing my own firewall mods. The
process did work for awhile, but one problem I ran into is when IPs were
reassigned and the new info was posted on ARIN quickly enough. Back
then the concept was blocking spam, but it also gave the benefit of
blocking by non response to many probes. The list of what needed to be
blocked grew longer and longer as new hackers and spammers went on line.
I found myself blocking US based ISPs as well. Figuring out who owned
what IPN and how many #s to block at each ISP ate hours every day. I
finally got it down to about 5 to 10 spam emails a day (from about 300)
accepted while still allowing legitimate mail, but doing so was taking 4
of 5 hours of my time each day researching and comparing logs and ARIN
records, and adding new blocks and it just wasn't worth
it. The whole process became self defeating, and ate a lot of CPU
time/power as well in that the machine would be crawling because each
input had to be checked for a block. A different approach I would like
to see some one market as a firewall for stand alone computers is as
follows. There are a total of 9 ISPs containing maybe a total of 12
IPNs which I actually need to maintain communication with business wise.
I really don't need, or want, my PC to even acknowledge the rest of the
Universe. Okay an exception or 5 exists for my amusement, let's add MS
update (and the 10 or so IPNs it uses), an IPN providing a news feed,
maybe Dshield, NIST time and or ebay/paypal. Following this would leave
us with a firewall into which a user can enter the specific IPNs he/she
wants the computer to acknowledge or accept mail from, and it would be
totally non-responsive to the rest of the universe and not even accept a
mail which did not contain "Received: from (pre-approved IP) # ". Would
it violate RFCs, probably, but when was the last time someone asked for
our signature of approval on one of those?
SANS Network Security 2006 - Las Vegas NV October 1st-9th.
Wide selection of 1-6 Day Courses. Top Instructors!
Details: isc.sans.org/clickcount.php?ad=1 (use Brochurcode "ISC")
"Best IT Security return on Investment" (Mario Chiock, Schlumberger)
More information about the list