On Wed, 05 Sep 2007 08:34:59 EDT, Dude VanWinkle said: > If we have a way to detect them, we should be able to tell when they > get a new lease on life, or ipv4.
59.112.229.83 at Aug 17 01:19:39 UTC-0400. Still same IP, or no? Note that this is a *serious* question - it can take 2 weeks for a hacked box to get a new IP, and the *new* owner of that IP then gets mystified why nothing works. 125.1.71.140 at Sep 3 15:59:28. Still same IP, or no? 201.250.52.183 at Sep 4 14:59:26. Is that the same IP still, or no? Let me know if I should blacklist those 3. Then we'll only have 139,999,997 to go. > So, according to your theory, we can only blacklist people if we know > everyone who is compromised, else its completely useless? I disagree. No, I'm saying that it's almost completely useless, because you can't make enough blacklist entries for it to *matter*. How much time and effort are you willing to put in to maintaining this blacklist, and how do you intend to keep it up to date? Remember - each time a legitimate visitor doesn't get to your website because of a false positive, it's at *least* a bad PR event for you, probably a lost customer, and possibly the cost of a tech support call to find out they're a FP (and note that if you're using a 3rd-party blacklist, the fun and games of getting them unlisted can be a problem too). As I said - there's only 2 *sane* ways to approach it anymore: 1) Only allow whitelisted systems - we have a *lot* of boxes that we only allow access to AS1312 systems, or specific subnets thereof. Works great, and the subnets move a lot less than botted systems. 2) Harden your systems against all comers - the broken idea of a blacklist is that even if you manage to properly list 25% of the boxes, you're now doing twice the work: 2a) You're maintaining a 20M to 30M entry blacklist, and keeping it up to date. 2b) You're *still* having to defend against the *OTHER* 75%. Would you even *consider* buying a security system for your house, if you knew *beforehand* that it would (a) only stop 25% of the burglars, (b) you had to spend 15 to 20 minutes *every* day fixing it, and (c) 20% of the time, it would randomly refuse to let invited guests in? > Security is gained by throwing everything you have at the opposing > team, not waiting around for a perfect solution to present itself, I'm not looking for a perfect solution. I'm looking for one that has a decent return on the time/resources invested. > because trust me: you will be waiting a long time. Throw everything > you can at them, even if it only helps against 5%, thats 5 down, 95 > more to go... The benefit of lowering it from N to N*0.95 needs to outweigh the costs of the care and feeding of said beast.
pgpa1jAp6TpHe.pgp
Description: PGP signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
