On Monday 26 August 2002 01:05 pm, Alain Fischer wrote:
> ip68-7-80-223.sd.sd.cox.net has locked
> http://minnow.cc.gatech.edu/squeak/1184
>
> In the last weeks I have tried to restore the swiki to keep our
> invaluable
> Squeak documentation. But now, I wasn't able to restore it.
>
> Peraps a simple scheme that could possibly work in most case is to
> have a list of ip address or range of address with editing
> capability disalowed.
> This seem to be a low cost solution. I know that it's easy to
> switch to another
> provider with other range of ip but the more work for the malicious
> one. After a few week, I think the swiki will be free of these bad
> boys.

I don't think this will work. For one thing, 
ip68-7-80-223.sd.sd.cox.net was probably not the actual IP of the 
locker/editer of the page.

$ sudo nmap 68.7.80.223

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on ip68-7-80-223.sd.sd.cox.net (68.7.80.223):
(The 1542 ports scanned but not shown below are in state: closed)
Port       State       Service
25/tcp     filtered    smtp
80/tcp     filtered    http
111/tcp    filtered    sunrpc
119/tcp    filtered    nntp
135/tcp    filtered    loc-srv
136/tcp    filtered    profile
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
445/tcp    filtered    microsoft-ds
27374/tcp  filtered    subseven
31337/tcp  filtered    Elite

In other words, this machine is a (probably cable connected) Win9x 
machine that has been infected by the Sub7 (port 27374) and the Back 
Orifice (port 31337) trojans. This machine and many similarly 
infected machines can be used remotely (and easily, which is 
important to the script kiddies) to attack other machines.

How will an IP-based protection scheme work when there are thousands 
of IP addresses for each attacker to choose from?

-- 
Ned Konz
http://bike-nomad.com
GPG key ID: BEEA7EFE