[102130] in North American Network Operators' Group
Re: Worst Offenders/Active Attackers blacklists
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jan 28 18:23:50 2008
To: "Tomas L. Byrnes" <tomb@byrneit.net>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Sun, 27 Jan 2008 12:21:27 PST."
<70D072392E56884193E3D2DE09C097A9EE27@pascal.zaphodb.org>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 28 Jan 2008 18:22:53 -0500
Errors-To: owner-nanog@merit.edu
--==_Exmh_1201562573_2826P
Content-Type: text/plain; charset=us-ascii
On Sun, 27 Jan 2008 12:21:27 PST, "Tomas L. Byrnes" said:
> I'm the CTO and founder of ThreatSTOP (www.threatstop.com), and we're
> currently propagating the DShield, and some other, block lists for use
> in firewalls. I'm interested in gathering additional threat information,
> and serving additional communities.
>
> Is there any interest in a collaborative platform where anonymized
> candidates for blocking would be submitted by a trusted group, and then
> propagated out to the whole group?
http://www.ranum.com/security/computer_security/editorials/dumb/
This illustrates dumb idea #2. Explain to me how you intend to enumerate
enough of the "bad" hosts out there that such a blocklist would help, while
still having it small enough that you don't blow out the RAM on whatever
device you're installing it on. Have you *tested* whatever iptables/ipf/ACL
for proper operation with 10 million entries?
--==_Exmh_1201562573_2826P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFHnmPNcC3lWbTT17ARAhkSAKD+GPBK/QTk5VqXS3bQ3270ejK2/wCdGebN
t6xPbYLFR9i5YjrsaHUp/oc=
=P5M5
-----END PGP SIGNATURE-----
--==_Exmh_1201562573_2826P--
