On 9/4/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > On Tue, 04 Sep 2007 16:20:15 EDT, Dude VanWinkle said: > > > So if we know the IP's of "millions of compromised machines" can we > > get access to a list of those in order to grey/blacklist them? > > We know the IP addresses that some of them *used* to have. Feel free to > blacklist the address and see the *current* DHCP leaseholder wonder why > things are breaking.
If we have a way to detect them, we should be able to tell when they get a new lease on life, or ipv4. > > And Storm is only *part* of it - remember that's only a few million, out > of Vint Cerf's estimate of 140 million. > > When there's 140 million pwned/spywared/etc boxes out of 600M or so, you > really can only take 2 stances: So, according to your theory, we can only blacklist people if we know everyone who is compromised, else its completely useless? I disagree. Security is gained by throwing everything you have at the opposing team, not waiting around for a perfect solution to present itself, because trust me: you will be waiting a long time. Throw everything you can at them, even if it only helps against 5%, thats 5 down, 95 more to go... > 1) Don't care and harden the outward-facing side to take on all comers. > 2) Start whitelisting only known vetted and known systems. I am also liking the idea of greylisting. If someone snafu's on an RFC during SMTP, we dont block them forever, just a few min. -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
