Questions about unresolvable IP addresses

View Poll Results: AO Security Poll : Make Your Vote Count!

Voters
13. You may not vote on this poll
  • Memories and Wet Dreams

    2 15.38%
  • Smelly Humans

    4 30.77%
  • Hic! I'm Drunk

    4 30.77%
  • I Have No Life

    3 23.08%
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Questions about unresolvable IP addresses

  1. #1
    Senior Member frpeter's Avatar
    Join Date
    Dec 2004
    Posts
    131

    Exclamation Questions about unresolvable IP addresses

    Hello,

    I have been reading where many system administrators have decided to block all access to their systems from IP addresses that do not resolve. I have heard and read both sides of the debate and see this as the "golden double-edged sword" where it could be a blessing beyound all or a devistating curse.

    I would like input and opinions from AO users. I have been considering this for two years now for my servers seeing that harvesters and spammers tend to proliferate in the unresolvable blocks.

    Any input on this issue is greatly appreciated. Thank you in advance.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's silly.... half the internet doesn't "resolve"... You cut off an entire userbase if you do.... But then again, in certain circumstances.. it may not be a bad thing... But the internet is about connectivity not privacy..... in a way...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    107
    If you could block certain ports from addresses that don't resolve, you might be onto something That way you could still offer some functionality to the whole world (like the most basic services, depending on what you're trying to accomplish)...

    Out of curiosity, what kind of services are you running that you're concerned about? Besides, an address that does resolve in no way gives them any more trustworthiness...
    Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
    -- Homer S.

  4. #4
    Senior Member frpeter's Avatar
    Join Date
    Dec 2004
    Posts
    131
    Hello,

    At this point, the serverices that rank the highest are email, ftp, web.

    Thank you in advance.

  5. #5
    Senior Member frpeter's Avatar
    Join Date
    Dec 2004
    Posts
    131
    Hello,

    Considering the issues facing system administrators and users these days, I am surprised in the lack of interest in this issue.

    Does anyone even care about the decisions being made about internet connectivity and wheather or not their serverces could be interrupted by admins blocking unresolable IP addresses?

  6. #6
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888
    I am surprised in the lack of interest in this issue.
    Its not a lack of interest, it is a lack of useable information for anyone to base an educated opinion.
    I have a question; are you the bug, or the windshield?

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's not even a lack of usable information. As I said above 50% of the internet is unresolvable. Since you can't determine, (easily), which ones that aren't resolvable are really "valid" you have no choice but to block everything that doesn' resolve.

    I did look at blocking access to my public services from certain countries since there would be no conceivable reason for them to need to connect. The result of my "investigation" was that, unfortunately, the netblocks are so fragmented that the amount of work required to effect this kind of proactive action would not be close to being "cost" effective.

    That's my $2 on the whole issue.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    i dont think that you can see if an ip is "Good" or "Evil" just because it can been resolved to a name.
    Examples:
    There is tons of ISP dialup providers that has no name resolution. So will you ban a lot of customers just because they cant afford an ADSL?
    There is a lot of IPs that have a "name", but they are bad, bad bad. For example, some companies here banned SMTP servers that has IP addresses on adsl (home) range. Why? because spammers use to use those adsl links (cheap) to promote their business.
    Maybe in a specific business this kind if IP Ban can fit, but as a generic speach, no.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Senior Member frpeter's Avatar
    Join Date
    Dec 2004
    Posts
    131
    Hello,

    Thank to the people that have responded. Given the slant on this issue being against blocking unresolvable IP addresses, the following questions becon to be asked:

    1. Why then is a blanket block on unresolvable IP addresses becoming increasingly popular?

    2. Any opinions as to why ISP and the like do not atleast use a resolvable in.arpa reverse resolution? Especially considering that large blocks can be written out with a simple bash script?

    Thank you in advance.

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi Frpeter,

    This is not my area of expertise, so I am going on stuff I have heard and read over the past year or so.

    I think that cacosapo has a point:

    Maybe in a specific business this kind if IP Ban can fit, but as a generic speach, no
    I have heard of the practice becoming increasingly used in an e-mail context. That I can sort of understand because of the spam angle.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides