View Poll Results: AO Security Poll : Make Your Vote Count!
- Voters
- 13. You may not vote on this poll
-
Memories and Wet Dreams
-
Smelly Humans
-
Hic! I'm Drunk
-
I Have No Life
-
March 16th, 2005, 01:27 AM
#1
Questions about unresolvable IP addresses
Hello,
I have been reading where many system administrators have decided to block all access to their systems from IP addresses that do not resolve. I have heard and read both sides of the debate and see this as the "golden double-edged sword" where it could be a blessing beyound all or a devistating curse.
I would like input and opinions from AO users. I have been considering this for two years now for my servers seeing that harvesters and spammers tend to proliferate in the unresolvable blocks.
Any input on this issue is greatly appreciated. Thank you in advance.
-
March 16th, 2005, 01:40 AM
#2
It's silly.... half the internet doesn't "resolve"... You cut off an entire userbase if you do.... But then again, in certain circumstances.. it may not be a bad thing... But the internet is about connectivity not privacy..... in a way...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 16th, 2005, 01:45 AM
#3
If you could block certain ports from addresses that don't resolve, you might be onto something That way you could still offer some functionality to the whole world (like the most basic services, depending on what you're trying to accomplish)...
Out of curiosity, what kind of services are you running that you're concerned about? Besides, an address that does resolve in no way gives them any more trustworthiness...
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
-
March 16th, 2005, 02:08 AM
#4
Hello,
At this point, the serverices that rank the highest are email, ftp, web.
Thank you in advance.
-
March 21st, 2005, 06:27 AM
#5
Hello,
Considering the issues facing system administrators and users these days, I am surprised in the lack of interest in this issue.
Does anyone even care about the decisions being made about internet connectivity and wheather or not their serverces could be interrupted by admins blocking unresolable IP addresses?
-
March 21st, 2005, 12:16 PM
#6
I am surprised in the lack of interest in this issue.
Its not a lack of interest, it is a lack of useable information for anyone to base an educated opinion.
I have a question; are you the bug, or the windshield?
-
March 21st, 2005, 02:03 PM
#7
It's not even a lack of usable information. As I said above 50% of the internet is unresolvable. Since you can't determine, (easily), which ones that aren't resolvable are really "valid" you have no choice but to block everything that doesn' resolve.
I did look at blocking access to my public services from certain countries since there would be no conceivable reason for them to need to connect. The result of my "investigation" was that, unfortunately, the netblocks are so fragmented that the amount of work required to effect this kind of proactive action would not be close to being "cost" effective.
That's my $2 on the whole issue.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 21st, 2005, 06:00 PM
#8
i dont think that you can see if an ip is "Good" or "Evil" just because it can been resolved to a name.
Examples:
There is tons of ISP dialup providers that has no name resolution. So will you ban a lot of customers just because they cant afford an ADSL?
There is a lot of IPs that have a "name", but they are bad, bad bad. For example, some companies here banned SMTP servers that has IP addresses on adsl (home) range. Why? because spammers use to use those adsl links (cheap) to promote their business.
Maybe in a specific business this kind if IP Ban can fit, but as a generic speach, no.
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
March 22nd, 2005, 12:56 AM
#9
Hello,
Thank to the people that have responded. Given the slant on this issue being against blocking unresolvable IP addresses, the following questions becon to be asked:
1. Why then is a blanket block on unresolvable IP addresses becoming increasingly popular?
2. Any opinions as to why ISP and the like do not atleast use a resolvable in.arpa reverse resolution? Especially considering that large blocks can be written out with a simple bash script?
Thank you in advance.
-
March 22nd, 2005, 02:37 AM
#10
Hi Frpeter,
This is not my area of expertise, so I am going on stuff I have heard and read over the past year or so.
I think that cacosapo has a point:
Maybe in a specific business this kind if IP Ban can fit, but as a generic speach, no
I have heard of the practice becoming increasingly used in an e-mail context. That I can sort of understand because of the spam angle.
Cheers
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|