I think its a great idea in general, but you need some way of making sure it is fairly legit...
Does anyone here run a honey pot? With the number of increased attacks its possible to setup a "dummy" asterisk server with open SIP ports and just wait for someone to attempt to connect to it... then auto add all of those lists to the DB.... This wouldnt be too hard to implement! Jason ________________________________ From: Matthew Gamble <[email protected]> To: Bruce N <[email protected]>; asterisk Mailing <[email protected]> Sent: Wed, September 1, 2010 8:21:15 PM Subject: Re: [on-asterisk] Crowd sourcing rules for blocking hacking attempts? Bruce, What I'm proposing (and actually just started writing the code for) is a system where we allow anyone to sign up (the power of the crowds) but require a few things: 1) Authenticated email address. Not hard to get, but it does stop random signups 2) Reports from new accounts are not added to the global list for X days to monitor the quality of the data they are submitting. Further to the above, I'm adding a "score" feature to the output, so when you request a list of "bad" hosts you would get a file with IP, last reported date, and "score". The score would be a function of a few things: 1) How well do you trust the reporter(s)? Age of accounts, never flagged for reporting bad data, etc 2) How many people reported this IP? 1? It wouldn't be in the database until a few different sites reported it, etc 3) Other criteria I'm still writing. The third piece of security would be a system for people to "flag" data as being bad, creating a feedback loop to ensure that if a person submitted false data that it was quickly removed from the DB. Remember that crowd sourced rule systems already work for email (Cloudmark for example) and with a trust system and good scoring rules the issue of false positives becomes much less of a risk. On Wed, Sep 1, 2010 at 8:13 PM, Bruce N <[email protected]> wrote: > Hello Mathew, > > Are you suggesting an open system for everyone and anyone to input an IP > address? Two scenarios: > > 1- Allow only people who you trust - > CONS: > a- Still can't negate the fact that some authorized > user may mistakenly put a client's IP in the "BAD" IP table. > b- Limiting the number of reported "BAD" IPs to the > number of trusted people which I would like to believe would be very small > or else it won't be a trusted circle. > PROS: > a- Can be MORE or LESS a trusted database - As long > as no bulk IPs are allowed to be entered and there are restrictions to add > more than 1 IP per hour let's say. > > 2- Allow anyone to sign-up and add "BAD" IPs. > CONS: > a- Anyone can sign-up. Even the cracker!!! He can > put our legit IPs in the database and "BOOM", shutdown service for clients > for no good reason. I mean an IP that is "BAD" today can be a potential > customer tomorrow. What would be the rules to remove them when you have a > whole bunch of people submitting these - specially if this grows really big. > b- The list will grow so big that it won't be > possible to handle or it might again block legit users as the attacks are > usually co-ordinated not from the cracker IP address but rather compromised > servers and it might literally block a good portion of the USA continental > as lots of attacks do originate from compromised servers in USA while the > cracker is enjoying his tea break in Russia. > > PROS: > a- Would be a more complete list of "BAD" IP > addresses. > > These work around will be somehow useful but isnt' it about time that SIP > becomes more transparent to the common folks (simpler, less ambiguous > output, and more manageable SIP debug) - as it's becoming more commonplace > now-a-days? Or maybe pay more attention to it's security feature innately > like other popular protocols rather than keeping them as an option for the > user to turn on? As an example, just few years ago, all wireless routers > were possible to setup without a wireless security (one could literally jump > from neighbour to neighbour in the whole block) and now any router you take > out of the box either has a randomly generated wireless password or asks for > one before setting up the wireless leaving you with no access to neighbours > hot spot. > > -Bruce > > >> Date: Wed, 1 Sep 2010 19:48:54 -0400 >> From: [email protected] >> To: [email protected] >> Subject: [on-asterisk] Crowd sourcing rules for blocking hacking attempts? >> >> I've been following the threads over the past weeks about Asterisk >> hacks being on the rise, and I have to say I've been seeing the same >> thing in my logs. >> >> I'm wondering if there is any community interest in creating a >> database of known "attack" IP's that we could all update our IPTables >> or other firewall rules with? I'm thinking we create some interface >> for people to submit hosts they have blocked and a second interface >> for people to download a list of "bad hosts" with number of reports. >> >> If anyone is interested in working on something like this please let >> me know. I don't mind hosting / writing / running it, but I would >> like to know that the community would use it before I invest the time >> to set it up. >> >> Thanks! >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
