Re: IP Black list? -- NONONONONONONONO!!!

[mikem () CRAVETECHNOLOGY COM (Michael Merideth)]

Paul L Schmehl wrote:
> --On Monday, May 15, 2000 4:22 PM -0600 Michael Merideth
> <mikem () CRAVETECHNOLOGY COM> wrote:
>
> > If you want to be
> > ultra-paranoid about portscans, install portsentry.  Don't hand control
> > of your routers over to some alien organization, no matter how benign
> > and trustworthy it seems.
>
> It's amazing to me how many people completely miss the point of blocking
> services.  Methods like the RBL are completely voluntary.  No one forces
> you to use them, and if you find you don't like them, you just drop the
> service.
>
> Furthermore, you are not "handing over" control of your network to someone
> else.  It's your router, and you configure it to use or not use the
> services that are available.  You can implement filters that ignore certain
> listings in the RBL if you must do business with those networks.  You are
> always in complete control of your own routers.

Maybe in a vaccuum, but in the real world, most admins follow the FAQ on
getting RBL or whatever set up, and then let it do it's thing without
thinking about it again.  In effect, they are handing over control of
who they recieve mail from to the RBL.  Yes, anyone with a brain fully
realizes that you can un-subscribe, but until you do that YOU ARE NOT IN
CONTROL.  Most of the network admins I know would be too busy to parse
such a database to look for friendly blocks to let through.  So in the
real world, someone who decided to use this service would, in a very
real sense, be handing control of their router over to someone else.
Yes, they can still pull the plug.  That's not the point.  You are not
"in control" if you do not exercise that control.

> Implementing a list like this is not "taking over" anything.  It's simply
> making another service available for admins to use, if they choose to.  And
> it beats the hell out of every admin on the earth implementing their own
> "custom" blocks.

And the other point which several people have made, is that when a
service like this is deployed outside of a vaccuum (i.e. in the real
world), it becomes a big political stick to whack your enemies with.
I've had mail servers stuck on the RBL because someone couldn't figure
out how to unsubscribe to a mailing list they'd subscribed themselves
to.  I've seen threats to be RBL-ed because of "mailer daemon" bounce
messages.  I can see it now:  some ISP has a user who gets into a fight
on IRC.  Next thing you know their netblock is blackholed.  This
theoretical blackhole organization would require major funding to have
enough staff to actually investigate claims before adding someone to the
list, and an investigation would take precious time that would render
the list ineffective, anyway.  So how hard would it be to falsify a
claim against an enemy?  Or, as many have pointed out, why not just
spoof a few nmap scans?  That's great; this means that I don't even have
to subscribe to the service and I'll have this organization telling me
what to do with my network and my users with no specific site
knowledge.  Thanks a lot.  This is what I trained for.

> If you were blackholed for abuse on your network, which would you prefer?
> Notifying one source that the problem was resolved?  Or attempting to
> notify every admin in the world that had blocked you at their routers?
>
> The answer seems obvious to me.

Less obvious to me.  In the absence of this blackhole system, you would
rarely find yourself spontaineously blocked by large numbers of remote
networks unless you were truly up to no good, and in a big way.  I would
much rather talk to one individual who has blocked me, then deal with a
beurocracy that has responded to one individual's complaint by blocking
me the world over (don't forget the presumption of guilt that such
organizations have to adopt in order to be effective).  I've dealt with
the attitude of Vixie's RBL (and even more benign organizations like the
ORBS); I'll take an individual any day.

Let's also not forget the point I made about user privacy, which you
didn't address.  I don't want to have to sniff everything that every one
of my users does, just as I don't want everything I do online
scrutinized by my service provider.  Would this system not require me to
do just this, however?  I would, if I had any hope of offering
sufficient resolution to the organization administering the list once I
got blackholed.

Lastly, could a false claim resulting in the blockage of a netblock be
considered libel, or defamation of character?  Is not a denial of
service attack grounds enough to pursue legal recourse these days, and
could action taken by this organization not be construed as a denial of
service attack?  I bet there's more than a few lawyers out there that
are willing to argue both of those points.  This organization would have
to be well funded and well defended against the steady stream of
lawsuits that would ensue.

It's an impractical idea, and even if it were practical, it would still
be a bad idea.  The "control of the router" issue is only a small facet
of why it is a bad idea.

Mike Merideth