[Top] [All Lists]

Re: [ietf-smtp] Auth Crackers was [Shutup] Levels of proposals

2015-12-06 16:57:37
On Fri, Dec 04, 2015 at 01:44:03PM +0000, Paul Smith wrote:
If there was a "central" repository of IP addresses which have
generated failed login attempts to ANY server, then it seems to me
to make sense that you could catch them quicker [snip]

Probably a stupid idea, what with scaling, potential for abuse, etc,
but may be worth considering for a second or two.

It's not a stupid idea, but it does have serious operational, scalability,
privacy, and security problems.  For example (and this is not exhaustive):

- how do we decide who gets to submit data?

- how do we know what they're submitting is valid?

- how do we anonymize the data (which is a much more difficult
problem that it might first appear)?

- what happens when botnet operators decide to have some fun with this
and generate failed 6B login attempts to 50M servers from 400M addresses?

- how do we query this repository?

-how and when do we remove entries from it?

And so on.

This also presumes that your attackers are my attackers for many
values of {you, me}.  And sometimes that's true.  But quite often
it's not.  I think an operation-specific approach which combines
(a) a priori knowledge of where legitimate login attempts will
originate and (b) logs of failed logins to all servers/services
with the operation is probably more useful.  I've built many
variations of such things, and one of their useful properties
is that they can be deployed "untuned", i.e., as a rough draft,
and then gradually refined over time as experience accumulates.


ietf-smtp mailing list