Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Comcast using IPS to protect the Internet from their home user clients?
From: Thomas Lakofski <thomas () 88 net>
Date: Thu, 11 Mar 2004 05:20:29 +0000 (GMT)

On Wed, 10 Mar 2004, Exibar wrote:

            Filtering should not be done by the ISPs, they should provide a
pipe, and that's it.  Ok, there are some circumstances, like a DoS against
your equipment, where the ISP is the only means of blocking the traffic,
that's a different story.

Filtering is one thing, and I agree that it's a bad step to take for all
sorts of reasons.  Maybe, though, there are other ways to trap bad
traffic at the ISP level?  I ran LaBrea for a few months on the 3 spare
IPs in my /29, which tended to seize several thousand scanning threads
from all over the place, most of them indefinitely.  Some hosts
afflicted with particularly stupid scanners snarled hundreds of threads
for weeks.  This was at the cost of a staggering 1kB/s upstream

I wonder if it would be worth it for ISPs to take a /16 or even a
/15s-worth of addresses, and channel all the traffic to a few hefty boxes
running something like LaBrea.  With judicious interleaving of the
tarpitted address space with subscriber pools, most scanners which
operate tiered scanning (local net, then /24, /16, /8 etc.) will fairly
quickly get their threads stuck in the local ISP tarpit.  The tarpit
would also make an ok compromised host detector too...

I'm not sure what the downsides are besides wasted address space, and
some (additional) wasted bandwidth within each ISP (or externally, if
they expose the tarpits).

Any opinions?


Thomas Lakofski
gpg: 1024D/81FD4B43  2B72 53DB 8104 2041 BDB4  F053 4AE5 01DF 81FD 4B43

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]