[102149] in North American Network Operators' Group
Re: Worst Offenders/Active Attackers blacklists
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Tue Jan 29 16:42:57 2008
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
To: nanog list <nanog@nanog.org>
In-Reply-To: <Pine.LNX.4.62.0801292119300.5993@pop.ict1.everquick.net>
Date: Tue, 29 Jan 2008 16:39:14 -0500
Errors-To: owner-nanog@merit.edu
On Jan 29, 2008, at 4:23 PM, Edward B. DREGER wrote:
> PWG> [Z]one transfers, while not as bad as individual lookups, are
> still
> PWG> a bad idea IMHO. For instance, are you sure you want your
> dynamic
> PWG> filters 30 or 60 minutes out of date?
>
> As opposed to infinitely out-of-date (i.e., no filters)? Don't get me
> wrong; I'm none too keen on using DNS to distribute IP ACLs. I just
> am
> nitpicking that one particular point.
Frequently, yes. FPs can be more dangerous than FNs. Depends on your
network, clients, etc.
And that's just the first reason that came to mind. There are plenty
of others.
Or maybe not. Prove me wrong!
--
TTFN,
patrick
