| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: thomas at 88.net (Thomas Lakofski) Subject: Comcast using IPS to protect the Internet from their home user clients? On Wed, 10 Mar 2004, Exibar wrote: > Filtering should not be done by the ISPs, they should provide a > pipe, and that's it. Ok, there are some circumstances, like a DoS against > your equipment, where the ISP is the only means of blocking the traffic, > that's a different story. Filtering is one thing, and I agree that it's a bad step to take for all sorts of reasons. Maybe, though, there are other ways to trap bad traffic at the ISP level? I ran LaBrea for a few months on the 3 spare IPs in my /29, which tended to seize several thousand scanning threads from all over the place, most of them indefinitely. Some hosts afflicted with particularly stupid scanners snarled hundreds of threads for weeks. This was at the cost of a staggering 1kB/s upstream bandwidth. I wonder if it would be worth it for ISPs to take a /16 or even a /15s-worth of addresses, and channel all the traffic to a few hefty boxes running something like LaBrea. With judicious interleaving of the tarpitted address space with subscriber pools, most scanners which operate tiered scanning (local net, then /24, /16, /8 etc.) will fairly quickly get their threads stuck in the local ISP tarpit. The tarpit would also make an ok compromised host detector too... I'm not sure what the downsides are besides wasted address space, and some (additional) wasted bandwidth within each ISP (or externally, if they expose the tarpits). Any opinions? cheers, -- Thomas Lakofski gpg: 1024D/81FD4B43 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
Powered by blists - more mailing lists