[VoiceOps] [VOIPSEC] Web Attacker Blacklist

J. Oquendo sil at infiltrated.net
Tue Oct 22 16:19:37 EDT 2013

On Tue, 22 Oct 2013, Sergey Kolesnichenko wrote:

> If I ever want to do something bad I would check if my IP is the public
> lists. If I ever want to protect my scripts I will never rely on 3rd party
> blacklists. And I think modsecurity.org saves the day for web
> applications...

You're missing the purpose of the list. Not everyone can,
will, or has the capability of running modsecurity. I do
so I am fully aware of how to blacklist/filter attacks.
Filtering - while it helps me, helps me solely because I
have taken the time to implement strong (overly aggressive)
rules. What about the others who can't/don't run filters
such as modsecurity. So for starters, it helps others see
who is doing what on other networks under the premise that
"if it hits me, it can hit you too."

Secondly, accountability. Having maintained my blacklists
for some time now, I get a lot of requests to have IP
addresses taken off the blacklists. Many are companies that
didn't even know they were compromised. Because of the list
and people blocking the IP, they quickly fix their networks
to where before, they'd of never known.

Thirdly, research. I can't count the number of times that
articles were written with no attributable addresses. By
posting addresses publicly, anyone doing research into
cybercrime related themese (botnets, etc.) can see addresses
firsthand and if necessary, I would supply them for the
exact attack vector used by an address.

Finally, its no secret that most attackers do this (check
against blacklists). At some point in time the theory is,
they're gonna run out of addresses, and compromisable hosts
once companies and individuals running websites get their
acts in order. NO COMPANY wants to have entire netblocks

J. Oquendo

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF

More information about the VoiceOps mailing list