lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0403110502170.27704@o9>
From: thomas at 88.net (Thomas Lakofski)
Subject: Comcast using IPS to protect the Internet from
 their home user clients?

On Wed, 10 Mar 2004, Exibar wrote:

>             Filtering should not be done by the ISPs, they should provide a
> pipe, and that's it.  Ok, there are some circumstances, like a DoS against
> your equipment, where the ISP is the only means of blocking the traffic,
> that's a different story.

Filtering is one thing, and I agree that it's a bad step to take for all
sorts of reasons.  Maybe, though, there are other ways to trap bad
traffic at the ISP level?  I ran LaBrea for a few months on the 3 spare
IPs in my /29, which tended to seize several thousand scanning threads
from all over the place, most of them indefinitely.  Some hosts
afflicted with particularly stupid scanners snarled hundreds of threads
for weeks.  This was at the cost of a staggering 1kB/s upstream
bandwidth.

I wonder if it would be worth it for ISPs to take a /16 or even a
/15s-worth of addresses, and channel all the traffic to a few hefty boxes
running something like LaBrea.  With judicious interleaving of the
tarpitted address space with subscriber pools, most scanners which
operate tiered scanning (local net, then /24, /16, /8 etc.) will fairly
quickly get their threads stuck in the local ISP tarpit.  The tarpit
would also make an ok compromised host detector too...

I'm not sure what the downsides are besides wasted address space, and
some (additional) wasted bandwidth within each ISP (or externally, if
they expose the tarpits).

Any opinions?

cheers,

-- 
Thomas Lakofski
gpg: 1024D/81FD4B43  2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ