Slashdot Mirror

← Back to Stories (view on slashdot.org)

IIALP - Abuse Logging Protocol

Posted by michael on from the hey-you-kids-get-off-my-lawn dept.

George Davey sent us a press release about abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be queried to find out which IPs are luserish.

8 of 173 comments (clear)

  1. I hope by jb.hl.com · · Score: 5, Insightful

    There's some form of verification.

    In and of itself, this could be very easily abused by, say, people with a grudge who want to essentially get someone else an internet death penalty.

    --
    By summer it was all gone...now shesmovedon. --
    1. Re:I hope by wkcole · · Score: 2, Insightful
      This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

      There is a pair of ID's on DNSBL technical details and best practices which seems to me more than enough. Actual law would be hopelessly unenforced window-dressing (see the millions of spamming zombies around the USA? Every one is a federal felony in progress. Where's Johnny Ashcroft on that crime???) or (worse) an excuse for the worst elements of law enforcement(see above)to selectively harrass people who are really only engaging in free speech and protection of private property. Blacklists don't block mail, people using blacklists block mail. No one is forced to use any blacklist with a mail system they own or to buy services from a mail system that uses any specific blacklist. If you don't like the way your mail provider does spam filtering, find another provider or run your own mail.

      I recently had Comcast shut down my port 25 access due to spam reports.

      That's interesting, because Comcast claims that they recently cut off port 25 to ALL of their residential customers. That's for the best, given that they were completely unwilling to actually police their network for misuse in any serious and specific way. Are you sure you were not just part of that blanket closure?

    2. Re:I hope by wkcole · · Score: 2, Insightful
      And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying.

      That is a sure way to legislate that they charge everyone the same price and offer exactly one level of (lousy) service.

    3. Re:I hope by aardvarkjoe · · Score: 2, Insightful
      My version of free speech includes the freedom to publish a list of IPs -- because I think they are spamming, or for any other reason. That infringes on nobody's right to speech. Unfortunately, most people seem to think that "free speech" means "speech I agree with."

      Incidentally, this is seperate from Comcast's right to use their private equipment as they see fit -- which is what blocking ports based on spam reports is.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  2. what about DHCP by bdigit · · Score: 3, Insightful

    so what about all the people out there who get their ip from a DHCP server. Someone can be abusive and then within a given time have a new ip and some poor old grandma is now with this lusers old ip is flagged as an internet mischief.

  3. yet another standard by UnderAttack · · Score: 4, Insightful

    There are too many 'incidents exchange', 'intrusion detection', 'log', 'firewall log' standards to count. Many of them IETF drafts. IDMF has a little bit of traction. There is one format the music industry came out with to ease notifications of ISPs....

    Do we need yet another "standard", or do we just need ISPs that are actually reading/handling any kind of abuse notice. Some are great about this, but others just route them to /dev/null.

    --
    ---- join dshield.org Distributed Intrusion Detec
  4. Signal to Noise ratio by Ex+Machina · · Score: 4, Insightful

    I'm browsing the RFC, and it sounds like they're planning on having people's firewalls spit out IIALP messages in response to port scans, etc. In my opinion, this is a really bad idea! Worm activity, someone running a stupid automated scan against an entire class A (whoooops!) by mistake, or a port scan trying to locate a particular machine whose ip has changed (which I have had to do), etc need to be differentiated from actual malicious activities. I can see this being used by overzealous admins to try to drop ALL traffic at the firewall level from anyone *ever* who gets a complaint propagated to them via this. Also, does anyone really expect their STUPID!@!!@ .log TLD proposal to be accepted?!??!! Jeez, everyone knows that this will never go through. Why do people insist on changing DNS, creating namespace pollution or breaking some other protocol (SMTP for a lot of spam "spolutins") for every problem facing the net!

  5. Fatal flaw in environmental assumption by bourne · · Score: 5, Insightful

    Having just skimmed the draft, there's a fatal flaw with this solution. To quote:

    The idea is that no one person can make a big impact to the Root IIALP Servers but a million people all annoyed by the same SPAM can make a huge impact.

    However, they don't seem to address the idea that one person controlling a million drones that send spam today... can control a million drones that submit IIALP reports about, say, cnn.com tomorrow, resulting in an DOS from all the sites that block based on the IIALP lists. They rely upon the reports of end-users, but do not take into account the fact that massive volumes of "end-user" machines are compromised and usable as drones for whatever nefarious uses their 0wner wants.

    In short, their anti-spoof assumes individual malicious user endpoint hosts. If the malicious users on the Internet were limited to individual endpoint hosts, we wouldn't need solutions like IIALP!