Re: China Experience ?

From: Ken Blinco (ken_blinco@bridgepoint.com.au)
Date: 07/24/02 

Date: Wed, 24 Jul 2002 09:16:43 +1000
From: Ken Blinco <ken_blinco@bridgepoint.com.au>
To: Chris Brenton <cbrenton@altenet.com>

> For me it was on 9/11/01. At 3:00 PM EST I started seeing a
> semi-coordinated attack against one of my clients (incidents.org) that
> involved hundreds of .cn source IP addresses. After 12 hours of chasing
> IDS & log detects, my choices where:
>
> 1) ban the whole country
> 2) not go home

Hi,

We (like most people) have talked about blocking certain ranges at our firewall for the reasons already discussed. My concern is that we are introducing a form of prejudice into the Internet. i.e. if you come from crountry X then you aren't allowed in, regardless of whether your intentions are freindly or hostile.

If you had a physical shop, it would be pretty dodgy if you stopped certain people from entering the shop just because they looked like they came from a particular geographical area of the world (I think that's called racism)

While I agree, that some net-blocks are a source of alot of hostile traffic. Is it really fair to block all users from those netblocks? If there's any country that can benefit from the freedom of information that the internet offers it would have to be countries like China, and yet many of us are actively restricting what information that have access to.

Perhaps we should be focusing on building our server infrastructure to better withstand attacks rather than sheepishly blocking address ranges at the perimeter?

This is not an attack against your ideas, but I'd like your comments, cause I'm uncertain as to what is right or wrong here.

Regards

Ken

Relevant Pages

  • IDS Assessment (was: Intrusion Prevention... probably something else at one point)
    ... scrutiny of all IDS features/technologies. ... Anomaly-type detection engines can ... weaknesses of each detection methodology (which is described in much ... attack d'jour with a cool sounding name and/or press ...
    (Focus-IDS)
  • Re: Target based IDS review and discussion in Information Security
    ... This all began in 2000 when Marty lead the IDS development effort at ... > describes alerts as they pop out of IDS consoles. ... > Roesch names two other components as integral to target based NIDS: ... > an attack on a system that cannot succeed should be demoted. ...
    (Focus-IDS)
  • RE: IDS Informer
    ... Subject: IDS Informer ... The main difference with IDS Informer and other testing tools (such ... While the attack is happening we have a network ...
    (Focus-IDS)
  • RE: IDS Informer
    ... quickly answer you question we can target any ip address. ... on the same segment as the IDS without harming that machine. ... I was looking at the IDS Informer and noticed ... While the attack is happening we have a network ...
    (Focus-IDS)
  • RE: Thinking about Security rules...
    ... > Subject: Re: Thinking about Security rules... ... >>rules for the IDS. ... by which you attack. ... firewalls in series isn't nearly as nice as a stateful firewall coupled ...
    (Vuln-Dev)