It was just meant as a blanket statement. When automating blacklists, make sure you understand what is blocked and what is not. If you whitelist everything known good, then that's one way to skin the cat. I'm sure there are others.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com ----- Original Message ----- From: "Gavin Henry" <[email protected]> To: "Mike Hammett" <[email protected]> Cc: "Fred Posner" <[email protected]>, "VoiceOps" <[email protected]> Sent: Monday, January 3, 2022 11:12:36 AM Subject: Re: [VoiceOps] SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot On Mon, 3 Jan 2022 at 15:44, Mike Hammett <[email protected]> wrote: > > *nods* being UDP, it could be easy to spoof someone else to get them blocked. > When I automated honeypot -> ACL, I shut myself out of Google's authoritative > DNS servers, assuming because of spoofing. There could have been more than I > didn't even realize. > What's the gain of spoofing/poisoning if you are going to do "allow lists" for all your important IPs and only block on your important ports (SIP etc) with Fail2ban? I suppose, "just because I can". > Gotta protect against that kind of stuff.
_______________________________________________ VoiceOps mailing list [email protected] https://puck.nether.net/mailman/listinfo/voiceops
