Re: [fw-wiz] Lists of IP's we should be blocking

From: Kevin (kkadow_at_gmail.com)
Date: 12/12/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)" 
    To: firewall-wizards@honor.icsalabs.com
Date: Sat, 11 Dec 2004 19:46:16 -0600

    On Wed, 8 Dec 2004 15:20:57 +0200, Bruce Smith
    <bruce_the_loon@worldonline.co.za> wrote:
    > Is there a list of dangerous, evil IP's that should be blocked or at least
    > watched closely at the borders of the Internet?

    No.

    There are a number of special purpose DNSBL and IP blacklists, but the
    primary reason there is no one universal block list is, who can we
    trust to build and maintain such a list?

    Obviously any "edge" gateway should be have rules to only permit out
    packets showing a legitimate routable internal source (anti-spoofing
    egress filters aka URPF), and there is no reason not to block outbound
    traffic showing a destination address of your internal network,
    RFC-1918 address space, or bogons (unallocated IP space, see here for
    details: http://www.cymru.com/Bogons/)

    > Address like virus targets, root-kit sources and so forth.

    This gets tricky, since these tend to move around, and can be innocent
    bystanders or otherwise legitimate hosts.

    > And what is the group's opinion on the idea of a general purpose dark IP list?

    There are legitimate lists of addresses which are not valid on the Internet:
        http://bgphints.ruud.org/articles/bogons.html
        http://www.nanog.org/mtg-0410/pdf/soricelli.pdf

    These lists are effective because the contents change only very slowly
    (but bear in mind the "69/8" address block problems), and reflect a
    legitimate technical distinction between "valid" and "invalid"
    addresses. When you start getting into labeling individual hosts and
    network as "good" and "evil", things can get very messy very quickly.

    Kevin
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"

    Relevant Pages

    • Re: Spam Email
      ... > Is there any effective way of blocking spam email short of changing ... Whatever you do - do not try to get yourself OFF the lists in most cases. ... fill out in person that are not connected to the Internet (like insurance, ... I'll mainly work around Windows XP, as that is what the bulk of this ...
      (microsoft.public.windowsxp.basics)
    • MAKE CASH NOW $6.00 to make $$ THOUSANDS
      ... providing Internet connectivity, ... IF YOU URGENTLY NEED CASH MONEY PLEASE READ THIS MESSAGE ... newsgroups, just like you are now, and came across an article similar ... business of developing Mailing Lists. ...
      (alt.smokers.pipes)
    • Re: I think I have virus after all....
      ... Then do a clean boot with your BartPE or ... Compare the two lists. ... mismatch between Windows API and raw hive data. ... C:\Documents and Settings\...s\Temporary Internet ...
      (rec.games.computer.ultima.dragons)
    • [Full-Disclosure] Off topic programming thread
      ... programming thread that is currently filling your mailbox. ... The internet is a really big place with a lot of different ... This is why people created separate lists and ... and flame me personally. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Microsoft laxed security is threat to internet
      ... > I think security lists are geared up more at the vendor patching X, ... to security matters being hyped in the media, forcing vendors to take ... > internet back bones and take out key infrastructure, ...
      (Full-Disclosure)