I am making this suggestion based on Ron DuFresne's [dufresne@winternet.com] email "You're on your own now" last week. I am open to everyone's thoughts on whether it is a good idea or not or any suggestions that you may have. This has been written very quickly and is intended as an overview of the idea only. Background As firewall administrators we have all seen a variety of attempts against the networks that we have been hired to protect, these attacks range from stab-in-the-dark probes to pinpoint purposeful attacks. However, a large number of attacks come from a small number of IP addresses, and furthermore most of the attacks are aimed at wide-ranges of IP addresses and as such affect more than one company and as such affect more than just one firewall administrator. The majority of these attacks are harmless (attacks agains ports such as 23, 111, 135, 137, and 139) as they are usually stopped by our border-firewalls. Suggestion What is needed is a facility to allow us to coordinate our efforts to protect ourselves from that small number of IP addresses that probe our networks CONSTANTLY. The most effective way for us to do this I believe is a service similar to ORBS, but instead of tracking open mail relays it tracks IP addresses that are known threats. Ideally the system would allow IP addresses to be split into categories and then firewall administrators could download pre-written rule sets for various firewalls to block the IP addresses in the categories that they select. A system such as this would quickly reduce the effectiveness of attacks from these IP addresses as numerous firewalls would effectively block these ranges even before the attack is attempted against them. Potential Problems * System could be abused by people blocking good IP addresses - Possible Soln: Firewall administrators have to register to block IP addresses - Possible Soln: Multiple requests to block the same IP address have to be received before the rule is activated - Possible Soln: Log files have to be provided * Too many rules may be generated - Possible Soln: Rules may be split into categories and firewall administrators can choose which categories they wish to use - Possible Soln: Rules in certain categories may expire after a certain time period * Spoofing of IP addresses - Possible Soln: Protected somewhat by the measures shown under "System could be abused by people blocking good IP addresses" - Possible Soln: Rules may be removed by successful application from the owner of the IP address/range Any thoughts on this would be greatly appreciated. Kind Regards William Bartholomew *************************** This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the viewing purposes of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls