Worst Offenders/Active Attackers blacklists

Edward B. DREGER eddy+public+spam at noc.everquick.net
Tue Jan 29 23:29:21 UTC 2008


PWG> Date: Tue, 29 Jan 2008 16:39:14 -0500
PWG> From: Patrick W. Gilmore

PWG> [A]re you sure you want your dynamic filters 30 or 60 minutes out
PWG> of date?

EBD> As opposed to infinitely out-of-date (i.e., no filters)?

PWG> Frequently, yes.  FPs can be more dangerous than FNs.

We're dealing with more than one issue, here:

* How to disseminate information (DNSLLs, AXFR, BGP, etc.)
* How to act on it.

I'm curious what filtering method you use that never passes a packet
from a "bad" host, yet never has an outdated ACL entry that blocks a
recently-cleaned host.  If you present your arguments to state "don't
run ACLs", fine.  Your case is a wholly valid one for not filtering.

If you contend that your position supports static ACLs versus dynamic --
forget it.  Static filters are even more prone to bitrot.  (69/8,
anyone?)  Why?  Because static \(.*\) requires more effort than dynamic
\1.

Despite dynamic routing's non-instantaneous convergence, I doubt anyone
here uses much static routing.  Do packets ever get misdirected due to
dynamic routing protocol failure?  You bet.  Do we poo-poo dynamic
routing?  Maybe, but we still decide it's the best overall approach.

Once one has the information, the question is how to act on it.
Proposition: Make the "Evil Bit" for real.  (Hear me out...)

How do people deal with spam?  Some block it outright.  Others tag,
allowing users to decide based on a numeric score.  Sometimes based on
ACL (DNSBL being just one way of communicating an ACL), sometimes based
on inspection.

Maybe one firewall drops blacklisted traffic.  Another might set the
"Evil Bit".  Perhaps inserting a new IP option would be useful.  Or map
"badness" to something like, oh... say... 802.1p priority.


PWD> Depends on your network, clients, etc.

Exactly.

Some people use default-only routing.  Others use static.  People here
run dynamic.  All have their places.

Anyone using dynamic _anything_ accepts, explicitly or implicitly, that
the information may be outdated or wrong.  This does not mean dynamic is
invalid across the board.

Ehhhh.... did I just chase a red herring?  I thought we were discusing
RIB/FIB methods, not whether or not anyone would want to run dynamic
firewall rules.


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
________________________________________________________________________
DO NOT send mail to the following addresses:
davidc at brics.com -*- jfconmaapaq at intc.net -*- sam at everquick.net
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.



More information about the NANOG mailing list