[anti-abuse-wg] Enabling community self-help?
Suresh Ramasubramanian ops.lists at gmail.com
Fri Apr 6 15:51:56 CEST 2012
On Fri, Apr 6, 2012 at 12:23 PM, Shane Kerr <shane at time-travellers.org> wrote: > Just so we're clear - I don't represent an LIR, and never have. I don't > vote on the RIPE NCC budget or the RIPE NCC board. Never said that was the case. > However companies are by and large short-sighted and selfish - even > more than human beings, since companies have neither friends nor > families. Externalized costs ("somebody else has to pay for my > expenses, increasing my profits") are good from their point of view. If that externalized cost is passed on to another department and it causes a longer term increase in overall costs - you'd hear from the CFO if that cost spiked to a strange extent. > RIPE allows not a level playing field, but one just balanced enough to > allow necessary cooperation. This is true of any forum used for So does MAAWG - you have microsoft and google and ... and comcast and att and ... the sort of companies that compete against each other, and on occasion take each other before the FTC. There's this unique kind of cooperation in both the RIPE and MAAWG communities though that cuts across organizational boundaries. It is "operational" cooperation as you will admit. > So from your point of view, there already exists a reasonable > reputation service that covers both networks and their operators. I would call it so, yes. > I guess ROKSO provides some sort of networking blacklisting automation, > right? (Or perhaps even whitelisting?) Is there a reason not to use that > for filtering and not worry whether the RIPE NCC or any other LIR has > allocated any particular addresses? Umm. That is like "I have efficient pest control in my house and I don't care that there's an uncleared garbage dump outside"? And if the spammers get themselves /13s to burn through for a period of spamming and then essentially discard, what do you do when some poor network in some part of africa (or a small dutch consulting firm for that matter) wants some v4 space? And who do you find that's going to be stupid enough to take any part of that /13 or whatever when RIPE eventually reclaims it because the guy didn't pay his bills? > I guess I was wondering if it covered literally any nefarious > activities, so that it could be used as a general reputation service. > If I am getting DoS'd or penetration tested from an ISP who doesn't do > anything about it, I'd want that sort of thing tracked too. That is for an IDS / IPS and there are blocklists that target that too - possibly much more widely known in the firewall vendor community rather than the spam filtering community. Blackhole communities, s/rtbh etc etc. Spamhaus does list DDoS botnet c2 infrastructure by the way .. http://www.spamhaus.org/sbl/query/SBL131169 for example. Only - it is mixed in with a lot of other stuff that's primarily targeted at smtp blocking so it is not exactly what you want to feed to an IDS / IPS [and you ever try stuffing 6 or 7 million IPs into an IDS's memory?] > I actually think you *should* take a 3rd-party reputation service's > opinion more seriously. Realistically the RIPE NCC will *always* have a > conflict of interest - they want to serve the wider community but their > direct members are the LIRs. (OTOH 3rd-party reputation is not a .. and maawg's members are ISPs and datacenter hosts, some of which might have bad customers downstream. But a major focus is on policy improvements to remove and/or prevent such customers from even signing on in the first place .. definitely not just working on newer and better spam filtering and reputation mechanisms. So - just relying on filters to deter spam is not going to scale, like that analogy of pest control inside your home when there's a city dump with tonnes of uncleared and rotting garbage next door. > My goal of putting some sort of forum associated with the RIPE > allocation information was to get this 3rd-party information as close > as possible to the "authoritative" information about network addresses > without triggering any conflict of interests. I never claimed it was a > completely baked idea, certainly. :-P Spamhaus does list a lot of RIPE (and ARIN, and APNIC and ..) whois listings in the record for various IP ranges that it blocks. That's as close enough I guess. The focus here is on trying to conserve a scarce resource, not let the bad guys have as much of it as they can (and lay in huge stocks of v6 for the future). If you believe v6 won't ever run out .. that's what people thought when v4 first came into the picture so I won't play futurist and second guess what's going to go on 30 years down the line. Not even given the size of v6.