RE: [Snort-users] Country blocking?
This is a discussion on RE: [Snort-users] Country blocking? within the Snort forums, part of the System Security and Security Related category; At 09:30 AM 1/18/2005, Donofrio, Lewis wrote: >Anything from RIPE.NET could be blocked as far ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-19-2005
|
|||
|
|||
RE: [Snort-users] Country blocking?
At 09:30 AM 1/18/2005, Donofrio, Lewis wrote:
>Anything from RIPE.NET could be blocked as far as I can tell.... Just curious.. do you work for Verizon? http://www.theregister.co.uk/2005/01...n_email_block/ Let's face it, from a security perspective geographic regions are a particularly lousy category for blocking. Most US companies have overseas branches, and many "US" companies actually host their websites, mailsystems, etc in their foreign branches, or outsource them to foreign hosting firms. Currently I'm seeing most of my spam and network attacks originating from DSL, cable and dialup nodes in the US. AT&T, ALGX, comcast, roadrunner and verizon, are all FREQUENT sources of attack, and collectively represent about 50% of my attack volume. From that perspective, the safest approach is to block all end-users from being able to access my systems. Sure, if you're a US company, mostly doing business with other US based interests, most of your useful traffic is going to come from the US, and conversely, very little from outside of it. It might be tempting to just drop whole regions of the world, but let's face it, you're not buying yourself anything. It's like putting a west-facing wall outside a building, with no other sides to it. The enemy just has to walk around the wall and come from the south. Were this a battlefield you might have bought yourself some extra time to bombard them with artillery. However in network attacks they'll just go away and come back an hour later from another IP, and you'll have very little idea it's the same attacker. They can certainly come back fast enough that you won't have had time to do anything to the actual person that is the source of the attacks. You're closing yourself off to attacks launched from machines in one country, but who cares when your average Joe can buy a zombie net of thousands of US based home user machines. You're still as vulnerable to attack as you were before, you've only limited the angle they have to come from. ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
