<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000'>It was just meant as a blanket statement. When automating blacklists, make sure you understand what is blocked and what is not. If you whitelist everything known good, then that's one way to skin the cat. I'm sure there are others.<br><br><div><span name="x"></span><br><br>-----<br>Mike Hammett<br>Intelligent Computing Solutions<br>http://www.ics-il.com<br><br><br><br>Midwest Internet Exchange<br>http://www.midwest-ix.com<br><br><span name="x"></span><br></div><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Gavin Henry" <ghenry@suretec.co.uk><br><b>To: </b>"Mike Hammett" <voiceops@ics-il.net><br><b>Cc: </b>"Fred Posner" <fred@palner.com>, "VoiceOps" <voiceops@voiceops.org><br><b>Sent: </b>Monday, January 3, 2022 11:12:36 AM<br><b>Subject: </b>Re: [VoiceOps] SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot<br><br>On Mon, 3 Jan 2022 at 15:44, Mike Hammett <voiceops@ics-il.net> wrote:<br>><br>> *nods* being UDP, it could be easy to spoof someone else to get them blocked. When I automated honeypot -> ACL, I shut myself out of Google's authoritative DNS servers, assuming because of spoofing. There could have been more than I didn't even realize.<br>><br><br>What's the gain of spoofing/poisoning if you are going to do "allow<br>lists" for all your important IPs and only block on your important<br>ports (SIP etc) with Fail2ban? I suppose, "just because I can".<br><br>> Gotta protect against that kind of stuff.<br></div><br></div></body></html>