mailing list archives
Re: Tightened DNS security question re: DNS amplification attacks.
From: William Allen Simpson <william.allen.simpson () gmail com>
Date: Wed, 28 Jan 2009 18:50:15 -0500
Paul Vixie wrote:
have been able to bind a reputation to an IP address and act in some way based
on that reputation because TCP more or less requires that a real IP address
be used. we're seeing cracks at the edges of this model now, because so many
core routers have login: cisco; password: cisco, and it's now trivial for any
spammer to inject BGP that either lights up unallocated space or cuts out a
piece of somebody else's allocated block. this makes it possible to very
temporarily and untraceably speak TCP from addresses that have no reputation
(if they're unallocated) or that have a good reputation (if they're cutouts).
i've pondered whether a network reputation service based on morality rather
than behaviour could possibly work.
... would anyone be willing to deny service to them -- to paint
them as having a negative reputation even though their "sin" is laziness or
cluelessness rather than malevolent intent?
Yes, I've long been an advocate. Heck, the entire community had to take this
approach temporarily to slow/stop 2 worms (so far), because the damage was so
great that we couldn't operate otherwise.
However, I'd argue semantically that this is "behaviour" as well -- under a
negligence or attractive nuisance doctrine.
My previous solution involved extensive AUPs, but over time I've found AUPs
to be almost entirely unenforcible. Action turns out to be very expensive,
courts don't understand them, and are reluctant to support the "outsider"
ISP over their small business that belongs to the local chamber.
I was pleased by community action for de-peering this last year, although it
took several years of mounting evidence and national media exposure.
Do we need a law?
RE: out-of-band access bandwidth Church, Charles (Jan 27)
Re: out-of-band access bandwidth chuck goolsbee (Jan 27)
Re: out-of-band access bandwidth Brian Raaen (Jan 27)