Re: DNSWL will be disabled by default as of tomorrow

Tue, 13 Dec 2011 06:00:52 -0800 

On 12/13/11 7:44 AM, Kevin A. McGrail wrote:
Blocking seems to be the only thing that really achieves the goal they want beyond conversion to paying customers which is not SA's issue. 


I agree with Kevin.

A while back, I published an 'example' blocking list, 
'blocked.secnap.net' (wildcard entry for ipv4 :-).  Guess what? it was 
added to a couple of perl dnsbl modules and used by people who never 
looked at what it was!


Two things happened:

#1, lots of (hundreds of thousands of queries per day) from one or two 
unnamed large ISP's
#2, calls from 'internet lawyers' demanding that we remove them from the 
list.  (we emailed them the bind zone and told them to identify their ip 
address and we would gladly remove it).


Also, emailing or calling 'abusers' doesn't work.

Kevin and I both run two of three sa-update mirror servers, and we have 
seen several 'ill configured' servers that try to pull the same 
sa-update every 5 mins forever.



I had our night shift guys track down and send the admins a friendly 
note, mentioning that they aren't getting the updates anyway, so why not 
fix it?



No response, no change in activity (note:  this might be due to one of 
the distro's not being able to store and check pgp keys if they are in 
the /tmp directory, a proposed SA bugzilla starts to address this, but 
these queries are for older versions of SA)
And/or full /tmp filesystems, etc.  We never did figure it out, but if 
anyone wants a list of the top 10 ip's, they can email me offlist.



Now, I disagree TOTALLY on setting the 'abuser's dns queries to return 
FP on DNSWL_HIGH, this serves no purpose.  Blocking the ip address by 
firewall will save bandwidth and cpu cycles.  returning FP on HIGH won't 
ever get google's attention, will it? and you still get the bandwidth 
and cpu cycles from the largest abusers.




Regards,
KAM



--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

   * Best Mobile Solutions Product of 2011
   * Best Intrusion Prevention Product
   * Hot Company Finalist 2011
   * Best Email Security Product
   * Certified SNORT Integrator

______________________________________________________________________

This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.spammertrap.com/
______________________________________________________________________  
 




























					Reply via email to