[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])

Kenneth Coney superc at visuallink.com
Sun Aug 27 18:19:46 GMT 2006


This may work.  I have saved it and will try it later.  Thanks.


Subject:
Re: [Dshield] Idea for dealing with ISPs that ignore abusenotificatons 
was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS 
YOURCUSTOMER...])
From:
Valdis.Kletnieks at vt.edu
Date:
Sat, 26 Aug 2006 12:23:43 -0400

To:
General DShield Discussion List <list at lists.dshield.org>


On Sat, 26 Aug 2006 10:28:30 EDT, Kenneth Coney said:

> input had to be checked for a block.   A different approach I would like 
> to see some one market as a firewall for stand alone computers is as 
> follows.  There are a total of 9 ISPs containing maybe a total of 12 
> IPNs which I actually need to maintain communication with business 
> wise.


[0:0] -A tcp-in -m state --state ESTABLISHED,RELATED -j ACCEPT
[0:0] -A tcp-in -p tcp -s 198.82.0.0/16 -j ACCEPT
[0:0] -A tcp-in -p tcp -s 128.173.0.0/16 -j ACCEPT
# Add your other 7 -J accept rules here.
[0:0] -A tcp-in -j DROP

Done.  Pay careful attention to that first rule - that means "if *we*
go to visit *them*, their return packets are OK" - this lets you say
"Oh, I want to check www.cnn.com real quick" without having to whitelist them.

This is an iptables example, but I think all the current decent host firewalls
can be set up similarly (inability to do so, in fact, should be considered a
fatal flaw these days).

This is the opposite of Marcus's "Enumerate Badness", and how things *should*
be done if it's easy to enumerate the sites you should be hearing from.


> > Would it violate RFCs, probably, but when was the last time someone 
> > asked for our signature of approval on one of those?

If you're worried about RFC compliance, do this instead:

[0:0] -A tcp-in -p tcp --syn -j REJECT --reject-with tcp-reset
[0:0] -A udp-in -p udp -j REJECT --reject-with icmp-port-unreachable

But a lot of security experts (myself included) think that being totally
silent in response to undesired traffic outweighs strict RFC compliance.

Remember - the RFCs are written so that two consenting hosts can communicate.
If one isn't consenting, the RFC's don't apply.  But be nice and don't send
back non-RFC-compliant traffic that gives other machines indigestion.  :) 



More information about the list mailing list