[Dshield] Idea for dealing with ISPs that ignoreabusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails(Was:[Fwd: WHY IS YOURCUSTOMER...])

Tomas L. Byrnes tomb at byrneit.net
Sat Aug 26 17:45:51 GMT 2006


I think this is great, for a network that doesn't NEED to provide access
from the broader Internet on a non-prior contact basis (like your home
PC, or a small company that uses outsourced e-Mail). 

But it doesn't work at all for general purpose web servers, or mail
servers where you actually may want to hear from people you've never
heard from before.

Both those criteria apply to just about anyone who uses the 'net for
business purposes.
 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Saturday, August 26, 2006 9:24 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Idea for dealing with ISPs that
ignoreabusenotificatons was RE: The Art/Tao/Zen of Abuse
e-mails(Was:[Fwd: WHY IS YOURCUSTOMER...])

On Sat, 26 Aug 2006 10:28:30 EDT, Kenneth Coney said:

> input had to be checked for a block.   A different approach I would
like 
> to see some one market as a firewall for stand alone computers is as 
> follows.  There are a total of 9 ISPs containing maybe a total of 12 
> IPNs which I actually need to maintain communication with business 
> wise.

[0:0] -A tcp-in -m state --state ESTABLISHED,RELATED -j ACCEPT [0:0] -A
tcp-in -p tcp -s 198.82.0.0/16 -j ACCEPT [0:0] -A tcp-in -p tcp -s
128.173.0.0/16 -j ACCEPT # Add your other 7 -J accept rules here.
[0:0] -A tcp-in -j DROP

Done.  Pay careful attention to that first rule - that means "if *we* go
to visit *them*, their return packets are OK" - this lets you say "Oh, I
want to check www.cnn.com real quick" without having to whitelist them.

This is an iptables example, but I think all the current decent host
firewalls can be set up similarly (inability to do so, in fact, should
be considered a fatal flaw these days).

This is the opposite of Marcus's "Enumerate Badness", and how things
*should* be done if it's easy to enumerate the sites you should be
hearing from.

> Would it violate RFCs, probably, but when was the last time someone 
> asked for our signature of approval on one of those?

If you're worried about RFC compliance, do this instead:

[0:0] -A tcp-in -p tcp --syn -j REJECT --reject-with tcp-reset [0:0] -A
udp-in -p udp -j REJECT --reject-with icmp-port-unreachable

But a lot of security experts (myself included) think that being totally
silent in response to undesired traffic outweighs strict RFC compliance.

Remember - the RFCs are written so that two consenting hosts can
communicate.
If one isn't consenting, the RFC's don't apply.  But be nice and don't
send back non-RFC-compliant traffic that gives other machines
indigestion. :)



More information about the list mailing list