[Dshield] Blocking Country Access

Tomas L. Byrnes tomb at byrneit.net
Wed Feb 21 18:16:41 GMT 2007

It depends on what you are blocking, and why. The DShield lists are of
port scanners, which is more akin to the coyotes coming into your yard
and trying to get in the cat door to get at your cat. threatSTOP
provides those, and the TQM lists, in a form that your firewall can
block on.

If you're blocking SPAM @ the MTA level, and you are using RBLs, then I
don't see the difference in security effect or probability of collateral
damage of having a rule that blocks the first SYN @ the firewall, where
it costs you a 64 byte TCP SYN, as opposed to using an MTA block, where
you have to accept the connection, do a DNS lookup, and then send the
500 message. It costs you a lot less CPU and BW, and the spammer doesn't
typically try more than one connection, because they don't see port 25
as open at all.

IOW: Dropping a connection that you are going to drop @ the MTA @ the
firewall saves you bandwidth, and CPU on the MTA, for the exact same
effect that you get with an MTA RBL.

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Tony Earnshaw
> Sent: Wednesday, February 21, 2007 8:39 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Blocking Country Access
> Tomas L. Byrnes wrote, on 21. feb 2007 17:17:
> [...]
> > If anyone who hasn't responded to the DShield survey wants to know 
> > more, please complete the DShield user survey:
> > 
> > https://www.surveymonkey.com/s.asp?u=426292761814
> I'll have a look :) but ...
> > Be sure to tell us we can contact you, give us your e-mail, and we 
> > will be in touch as we ramp up.
> > 
> > End shameless plug.
> My sites (if they block at all) block at MTA level; no way 
> I'd ever use a firewall for this: Rather like cutting the 
> cat's throat for scratching the sofa, whilst clipping its 
> claws would do just as well ... and you get to keep the cat.
> --Tonni
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl
> _________________________________________
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 
> Courses taught by our top rated instructors plus a huge 
> vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list