Slashdot Mirror

← Back to Stories (view on slashdot.org)

IIALP - Abuse Logging Protocol

Posted by michael on from the hey-you-kids-get-off-my-lawn dept.

George Davey sent us a press release about abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be queried to find out which IPs are luserish.

10 of 173 comments (clear)

  1. DHCP and MAC by CaptainPinko · · Score: 4, Interesting

    How will this work with DHCP where the IP address is not constant at all. How about using the MAC address of the card? At least it's something that can't be cheaply replaced (I get a different IP everytime I log on) or at least not by the majourity of people.

    --
    Your CPU is not doing anything else, at least do something.
    1. Re:DHCP and MAC by djh101010 · · Score: 5, Interesting

      Yeah, because the MAC address is so hard to change. ifconfig on some systems can do it, and a D-Link router can assume any MAC you'd like it to.

    2. Re:DHCP and MAC by Pieroxy · · Score: 3, Interesting

      They have to be unique, but they can be dynamic!!! I don't know of any Mac address that could be dynamic (Well, you can always write a little daemon that changes the Mac address of your router/nic, but you'd have to write it). So in that regard, identifying people by their Mac address makes more sense that by their IP. But I agree that both make a pretty weak identification anyways.

      --
      Write boring code, not shiny code!
  2. That list'll get long quick by Neil+Blender · · Score: 4, Interesting

    Our firewalls get port scanned many times daily. Our weblogs are filled with this kind of garbage:
    63.189.X.196 - - [12/Jul/2004:16:31:04 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ x

    I could probably contribute a thousand IPs from last month alone.

  3. 4/1 by rabel · · Score: 4, Interesting

    The annoyance logs on a particular IIALP Server are condensed and forwarded up the IIALP hierarchy to central Root IIALP Servers for central annoyance queries.

    Come on... this is a joke, right? After annoyance queries, we can move on to annoyance mining and then the troll database and the lousy-speller's database with new improved SQL (Soundex Query Language for the spelling-impaired).

    Annoyance queries? Pshaw.

  4. Re:I hope by MobyDisk · · Score: 5, Interesting

    This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

    I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record. (However, if I tell them I went to Windows update and ran a virus scanner they enable my access again. Nevermind that Windows Update doesn't do much on my Linux box. :-) )

  5. Re:I hope by Scoria · · Score: 3, Interesting

    Touché. PKI is probably applicable here.

    If this group is merely validating complaints by including only those that have been submitted on many different occasions by unique hosts, then a malevolent individual could hypothetically establish a distributed network of compromised machines - perhaps by deploying an Internet worm - and then submit his false complaint, thus circumventing that precaution.

    --
    Do you like German cars?
  6. Re:I hope by jdreed1024 · · Score: 3, Interesting
    As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

    I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record.

    And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying. If you have a business account for cable modem service, they'll forward you reports of spam or other abuses (ie: port scanning from your machine), and they'll bend over backwards to help you, and if you say "there is no way this is my machine", they'll actually accept it on the first try and push the complainant to give more details or more proof.
    (yes, I know legislation for that will never work, but it's most unfortunate that end users can get screwed more easily just because they're paying less. I mean, the power company won't ignore your report of a blackout just because you don't keep your lights and A/C on 24 hours a day)

    --
    There is no sig, there is only Zuul.
  7. Re:Fatal flaw in environmental assumption by bourne · · Score: 2, Interesting

    So use a "real person" validation technique... like when you sign up for free email and they require you to tell them what the distorted word in the .jpg is...

    Three problems off the top with that...

    1. Capchas don't work for spam, because spammers hook them to "free" porn pages to get people to solve them. Again, if it doesn't work to stop spam today, why would it work to stop the people who want to spam despite IIALP?
    2. My mail server blacklists roughly 1000 hosts a day for attempting to send spam to or through it. Are you suggesting that the average user will validate themselves thousands of times a day? I think not. A system like IIALP is predicated on automated analysis of obvious 'attack' trends. If it needs a user, it'll never work (e.g., how many people view, understand, and care about ZoneAlarm popups? Not many).
    3. IIALP must include the input of actual infrastructure - mail servers, web servers, routers, firewalls, etc. etc. - in order to help protect said infrastructure. It won't work if it only gets input from end nodes with no services. Such systems, by definition, already have an overworked, underpaid admin who is not going to have time to 'validate' his systems reports.

    I have long thought about a system which has some similarities to IIALP, and have thought through some of the pitfalls. A system can be built which is based on the reports of nodes - but only if the nodes have credibility factors, strong encryption and non-repudiation, and the system is designed to cross-check and distrust node reports until throroughly corroborated. It should weight systems according to their uses, and it should have limited scopes (e.g., what's attack info on my network, may not be on yours).

  8. Re:I hope by NoOneInParticular · · Score: 2, Interesting
    You seem to misunderstand, the grandparent asks if it is necessary that the government needs to put restrictions on "banning free speech", not on "free speech" itself. The way internet abuse is handled currently, it is not unimaginable that in the not so far future you can effectively kick someone of the internet with one anonymous phonecall to a non-accountable agency, with the victim not having any recourse than to switch providers. Rinse, lather, repeat.

    However, if your version of "free speech" includes the freedom to prevent speech (such as Comcast is doing), then we're at the end of the discussion I think.