logoalt Hacker News

rkagerertoday at 3:25 PM1 replyview on HN

Some kind of source IP masking would be prudent. As you pointed out, some of those machines are compromised, and you aren't making their owners' lives any easier.

Bad actors might use the data you're publishing to fingerprint specific exploits to which the machines are vulnerable, multiplying the problem.

If producing an IP blacklist is one of your aims, divorcing it from any specific traffic would be more responsible.

You may also want to consider the risk traffic from compromised machines could leak PII (eg. say a script tried to use you as a relay to exfiltrate data) - and the ethical and legal consequences. A filter for SIN, credit cards, etc. would be a basic table-stakes mitigation step.


Replies

ryandraketoday at 3:44 PM

> Some kind of source IP masking would be prudent. As you pointed out, some of those machines are compromised, and you aren't making their owners' lives any easier.

Hard for me to find much sympathy for negligent users who unintentionally allowed their home computers or phones to join a malicious botnet, or their ISPs who aren't stopping the activity. Even if it is my own grandma's PC.

I agree about the content though, there probably are a lot of actually innocent victims' personal information in the traffic itself.

show 3 replies