IIALP - Abuse Logging Protocol

George Davey sent us a press release about abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be queried to find out which IPs are luserish.

that's cool!

[grub]

which could then be queried to find out which IPs are luserish.

Interesting: 66.35.250.150 and 66.35.250.151 are the only entries. Truly uncanny AI.

Re:that's cool!

Great links on this one. I mean there's absolutely nothing there, execept for a couple of guys whose phone numbers are going to get called a hundred times now.

For some record types the condensed records might be compressed
in a supported compression format for that template set.
A template set is a specification set for a template format for
a full and a condensed record pair.
Supported compression types will likely be added as new
technologies arise.

Encoding is necessary for SPAM reporting to keep the reports
small. For instance a an IP address is expressed in ASCII as
a 15 byte word. The IP address, converted to a binary number,
encoded to base 36, is represented by 6 ASCII characters.
Encoding types will need to be added over time as newer
technologies arise.

Re:that's cool!

It's official: /. is annoying!

Re:that's cool!

[strictnein]

Am I missing something? There seems to be absolutely nothing interesting to even look at for this site.

Web site for the Iowa Internet Annoyance Logging Protocol (IIALP) Working Group.
IIALP is pronounced: E'-alp.

A copy of the current IETF "Internet-Draft" which represents a work in progress for IIALP is here:
http://www.ietf.org/internet-drafts/draft-davey-ii alp-01.txt

RTF versions of all the internet-draft work in progress revisions are here::
http://www.abuselog.org/Documents/00/draft-davey-i ialp-00.rtf
http://www.abuselog.org/Documents/00/draft-davey-i ialp-01.rtf

Next Revision Peak Ahead:
Working on the sample templates and template root structure

Your comments are welcome, please email your comments to the email address shown below:
Make sure to include IIALP first in the subject line followed by the actual subject.

Re:that's cool!

Iowa Internet Annoyance Logging Protocol
(IIALP) pronounced E'-alp

Status of this Memo

This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on November 17, 2004.

Copyright Notice

Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

This draft describes a system by which Internet Annoyances can be
logged quickly and automatically using IIALP (Iowa Internet Annoyance
Logging Protocol). The annoyance logs on a particular IIALP Server
are condensed and forwarded up the IIALP hierarchy to central Root
IIALP Servers for central annoyance queries. Serial numbers and TTL
values keep the individual reports organized and dated. One unique
complaint per IP per epoch period prevents flooding. Differences
in detail and propagation parameters exist between Root and
Subordinate IIALP Servers to allow for more detail to be kept at the
originating IIALP Server. Transmission Echoes, Redundant Handshaking,
and Hierarchy Structure eliminate erroneous reporting. Routers and
software running IIALP can use IIALP to create dynamic black hole
lists for abusing Internet assets exceeding a set limit. IIALP allows
for an infinite number of different types of annoyances to exist but
has concise templates for common annoyances such as SPAM. IIALP
is a centralized logging system for Internet annoyance event
reporting.

Table of Contents

0. Introduction

Annoyance reporting was not a problem in the early years of the
Internet. You simply emailed the ARIN contact for the Autonomous
System (AS) that was annoying you and the system administrator
there would cut of the user and launch an investigation into the
annoyance and provide the abused with an answer on what happened
and what measures were taken to correct the problem.
Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:
Those were the good old days. Now ARIN contact email addresses
are overwhelmed by spam and abuse reporting is more often missed.
A centralized automated system for annoyance reporting, including
spam, is needed to help protect the Internet end user that does not
understand even what an ARIN contact email is.

The answer is to design a protocol engineered to bring tranquility
and accuracy to the chaos of Internet annoyance logging that is
going on today. IIALP is that speci

Re:that's cool!

sorry, Protocols are not very photogenic, sorry for the lack of bitmaps. Just a lot of good old words to describe a protocol which is in the "work in progress" state. Basically if it was a person it would be a todler, I hope it is out of the embryo stage.

Re:that's cool!

That's MY IP!!!

Re:that's cool!

[cdyson37]

No, it's slashdot's:

# ping www.slashdot.org
PING www.slashdot.org (66.35.250.151) 56(84) bytes of data.

--- www.slashdot.org ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1009ms

Probably the firewall is dropping them. I suspect the .150 is another IP, but I don't have dig installed at the moment, so I can't check.

Re:that's cool!

[cdyson37]

That's interesting:

# dig www.slashdot.org

; <<>> DiG 9.2.3 <<>> www.slashdot.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.slashdot.org. IN A

;; ANSWER SECTION:
www.slashdot.org. 2378 IN A 66.35.250.151

;; Query time: 17 msec
;; SERVER: 212.23.8.1#53(212.23.8.1)
;; WHEN: Wed Jul 14 12:22:36 2004
;; MSG SIZE rcvd: 50

But

# dig slashdot.org

; <<>> DiG 9.2.3 <<>> slashdot.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39116
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;slashdot.org. IN A

;; ANSWER SECTION:
slashdot.org. 1973 IN A 66.35.250.150

;; Query time: 16 msec
;; SERVER: 212.23.8.1#53(212.23.8.1)
;; WHEN: Wed Jul 14 12:22:59 2004
;; MSG SIZE rcvd: 46

So slashdot.org and www.slashdot.org have different IPs - different machines? Rather odd way of load balancing.

LOL!

More LIKE ILAP I lap !

Re:LOL!

Iowa Internet Annoyance Logging Protocol
(IIALP) pronounced E'-alp

Status of this Memo

This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on November 17, 2004.

Copyright Notice

Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

This draft describes a system by which Internet Annoyances can be
logged quickly and automatically using IIALP (Iowa Internet Annoyance
Logging Protocol). The annoyance logs on a particular IIALP Server
are condensed and forwarded up the IIALP hierarchy to central Root
IIALP Servers for central annoyance queries. Serial numbers and TTL
values keep the individual reports organized and dated. One unique
complaint per IP per epoch period prevents flooding. Differences
in detail and propagation parameters exist between Root and
Subordinate IIALP Servers to allow for more detail to be kept at the
originating IIALP Server. Transmission Echoes, Redundant Handshaking,
and Hierarchy Structure eliminate erroneous reporting. Routers and
software running IIALP can use IIALP to create dynamic black hole
lists for abusing Internet assets exceeding a set limit. IIALP allows
for an infinite number of different types of annoyances to exist but
has concise templates for common annoyances such as SPAM. IIALP
is a centralized logging system for Internet annoyance event
reporting.

Table of Contents

0. Introduction

Annoyance reporting was not a problem in the early years of the
Internet. You simply emailed the ARIN contact for the Autonomous
System (AS) that was annoying you and the system administrator
there would cut of the user and launch an investigation into the
annoyance and provide the abused with an answer on what happened
and what measures were taken to correct the problem.
Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:
Those were the good old days. Now ARIN contact email addresses
are overwhelmed by spam and abuse reporting is more often missed.
A centralized automated system for annoyance reporting, including
spam, is needed to help protect the Internet end user that does not
understand even what an ARIN contact email is.

The answer is to design a protocol engineered to bring tranquility
and accuracy to the chaos of Internet annoyance logging that is
going on today. IIALP is that spec

Wow

Cool

Re:Wow

Iowa Internet Annoyance Logging Protocol
(IIALP) pronounced E'-alp

Status of this Memo

This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on November 17, 2004.

Copyright Notice

Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

This draft describes a system by which Internet Annoyances can be
logged quickly and automatically using IIALP (Iowa Internet Annoyance
Logging Protocol). The annoyance logs on a particular IIALP Server
are condensed and forwarded up the IIALP hierarchy to central Root
IIALP Servers for central annoyance queries. Serial numbers and TTL
values keep the individual reports organized and dated. One unique
complaint per IP per epoch period prevents flooding. Differences
in detail and propagation parameters exist between Root and
Subordinate IIALP Servers to allow for more detail to be kept at the
originating IIALP Server. Transmission Echoes, Redundant Handshaking,
and Hierarchy Structure eliminate erroneous reporting. Routers and
software running IIALP can use IIALP to create dynamic black hole
lists for abusing Internet assets exceeding a set limit. IIALP allows
for an infinite number of different types of annoyances to exist but
has concise templates for common annoyances such as SPAM. IIALP
is a centralized logging system for Internet annoyance event
reporting.

Table of Contents

0. Introduction

Annoyance reporting was not a problem in the early years of the
Internet. You simply emailed the ARIN contact for the Autonomous
System (AS) that was annoying you and the system administrator
there would cut of the user and launch an investigation into the
annoyance and provide the abused with an answer on what happened
and what measures were taken to correct the problem.
Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:
Those were the good old days. Now ARIN contact email addresses
are overwhelmed by spam and abuse reporting is more often missed.
A centralized automated system for annoyance reporting, including
spam, is needed to help protect the Internet end user that does not
understand even what an ARIN contact email is.

The answer is to design a protocol engineered to bring tranquility
and accuracy to the chaos of Internet annoyance logging that is
going on today. IIALP is that spec

I use PacketLogger

It saves every packet to disk allowing you to go back and look through all your packets for signs of abuse.

Re:I use PacketLogger

Yeah, I'm sure we all have time to pore over every packet and analyze the data with a fine toothed comb.

Re:I use PacketLogger

Cool, Now you can figure out the source of that DOS attack that filled up you hard drive with useless data!

First post

Im a gay asshole trying for the first post. Look at me, Im original

Re:First post

And your ' key is broken.

Re:First post

What kind of gay asshole are you?

• young, tight gay rectum with light slippery coating of fecal matter
  
• old, prolapsed gay rectum with pre-cancerous polyps and crusts of dried feces

What kind are YOU?

I hope

[jb.hl.com]

There's some form of verification.

In and of itself, this could be very easily abused by, say, people with a grudge who want to essentially get someone else an internet death penalty.

Re:I hope

[BACbKA]

of course not. That would be addressed by IIALPALP (abuse logging proto of the abuse logging proto.) It is in the drafts. :)

Re:I hope

And they would be monitored by IIALPALPwatch

Re:I hope

[bsgk]

That's a dead link.

Re:I hope

As dead as your sense of humor, apparently....

Re:I hope

[Scoria]

Blacklisted, perhaps? ;-)

Re:I hope

[MobyDisk]

This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record. (However, if I tell them I went to Windows update and ran a virus scanner they enable my access again. Nevermind that Windows Update doesn't do much on my Linux box. :-) )

Re:I hope

[Scoria]

Touché. PKI is probably applicable here.

If this group is merely validating complaints by including only those that have been submitted on many different occasions by unique hosts, then a malevolent individual could hypothetically establish a distributed network of compromised machines - perhaps by deploying an Internet worm - and then submit his false complaint, thus circumventing that precaution.

Re:I hope

[jfengel]

Wow. That really sucks. If I were Comcast, anybody who asks for port 25 to be opened is either a code jockey type, in which case you should open it, or the world's most brazen spammer, in which case he should be arrested.

So tell 'em you've upgraded your operating system (true enough) and hopefully whatever typo screwed you in the first place won't happen again.

Re:I hope

IIALP can be abused, yes. Anyone can abuse anything on the Internet, just ask Micro$oft.
This is why they are designing embedded protection into the protocol, it also couples with white and black lists to further help.
The hope is that because it is a protocol and not a rich fat bass terd it will not be a target.

Re:I hope

PKI and certs make people rich ACL's do not.
While IIALP says it is PKI compliant, ACL is the primary form of auth used.
e.g. if you are on my WAN, you can enter a complaint, no spoofing possible, just ACLs.

Re:I hope

IIALP has a TTL or "time to live" for each complaint type. This is specified in the template for that complaint type. It determines how long the record lives in the IIALP server.
IIALP does not block anything whatsoever, it allows you to see the abuse activity for an IP and make the call yourself. That does not seem in need of legislation unless you are too naive to decide so your ISP makes the call.
Remember it is a protocol not a law.

Re:I hope

I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

you must be from canada

Re:I hope

[jdreed1024]

As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record.

And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying. If you have a business account for cable modem service, they'll forward you reports of spam or other abuses (ie: port scanning from your machine), and they'll bend over backwards to help you, and if you say "there is no way this is my machine", they'll actually accept it on the first try and push the complainant to give more details or more proof.
(yes, I know legislation for that will never work, but it's most unfortunate that end users can get screwed more easily just because they're paying less. I mean, the power company won't ignore your report of a blackout just because you don't keep your lights and A/C on 24 hours a day)

Re:I hope

[Ayaress]

My DSL company did something simmilar to me, although it was pure dumbass, and not malice on anybody's part. I'm on a dynamic IP system, so every time I disconnect and then reconnect, I have a different IP. Never causes much problem, since I don't do anything at home that would require me to have a static IP. Anyway, the local police made a big bust on a guy selling child pornography on a webserver in the back room of his office (the guy's a pediatrician). The police got a good couple hundred IP addresses from logs. Most of them were out of their jurisdiction, so they sent them on to somebody else. But a half-dozen or so were right here in town. They go to the ISPs, and try to get the names of the users behind said IPs. My ISP was more than happy to cooperate on something like this, so they had somebody look up the logs and figure out who had such-and-such address at the time stated (it was something like 4 AM on a Teusday). Anyway, it comes up with my name. I had some pretty awkward conversations with police, neighbors, parents, etc for a while until I get a call one day. The dumbass ISP must have entered the wrong search query or something, because as it turned out, that was my IP at 4AM on a Teusday - just a month earlier.

Re:I hope

[wkcole]

This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

There is a pair of ID's on DNSBL technical details and best practices which seems to me more than enough. Actual law would be hopelessly unenforced window-dressing (see the millions of spamming zombies around the USA? Every one is a federal felony in progress. Where's Johnny Ashcroft on that crime???) or (worse) an excuse for the worst elements of law enforcement(see above)to selectively harrass people who are really only engaging in free speech and protection of private property. Blacklists don't block mail, people using blacklists block mail. No one is forced to use any blacklist with a mail system they own or to buy services from a mail system that uses any specific blacklist. If you don't like the way your mail provider does spam filtering, find another provider or run your own mail.

I recently had Comcast shut down my port 25 access due to spam reports.

That's interesting, because Comcast claims that they recently cut off port 25 to ALL of their residential customers. That's for the best, given that they were completely unwilling to actually police their network for misuse in any serious and specific way. Are you sure you were not just part of that blanket closure?

Re:I hope

[spells]

And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying

You're new to the country aren't you? ;)

Re:I hope

Of course, they refused to tell me who reported me or what they reported

I'm glad about that. I had to stop reporting spammers years ago. Real spammers: fraud, pills, porn, etc. They are nasty people and will retaliate. Back in those days I'd get real e-mails back from ISPs saying they'd taken care of the spammers and as far as I know they did. I didn't start reporting spam again until Spamcop came along. I'm mostly anonymous, but can still be contacted through a Spamcop remailer. Spamcop does provide the content of the e-mail (that why I said mostly). I think Comcast should have at least told you what the e-mail was about!

Re:I hope

[KIDputer]

Remember it is a protocol not a law. What you do with it is your resposibility. It will be a great tool to see Internet abuse records without an act of congress needed or without large administrative efforts.

Re:I hope

[ElForesto]

I think the worst of those RBLs is the Blars one. The guy is a pompous ass who has serious attitude problems. I already had to spend hours getting our newly-assigned IP off of a dozen other lists, and they had fully-automated systems to verify that my system wasn't a spamhouse. He doesn't even accept removal requests without payment! Sounds like a blackmail scheme to me. I basically figured that I shouldn't need to worry about someone like that, but that kind of disregard for the social contracts of the Internet disturbs me greatly.

Re:I hope

[ElForesto]

I've got a better idea. Why not propose a standard abuse@domain way to report abuses? A human has to look over them anyway, and it's gonna be the ISP, so why should we make up some new scheme to capture the complaints? Just give me an abuse address and a responsive abuse department and I'm fine, thanks.

I'll take a human with soft skin over a machine that pretends to be smart.

Re:I hope

[aardvarkjoe]

As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

And once again, restriction of free speech in the name of "fairness" rears its ugly head...

I recently had Comcast shut down my port 25 access due to spam reports.

The proper thing to do in this case is to stop patronizing Comcast -- or, alternatively, live with it, if it's not that important to you. Telling the government to handle it for you is generally not the way to go.

Re:I hope

[KIDputer]

Because the IIALP protocol uses templates which are different for each type of abuse, they can be somwhat self verifying. e.g. if you fill in all the blanks and you have permission to submit to the IIALP server you are affiliated with, IIALP only logs it does not block, when you use IIALP to block , YOU would need to verify the validity of the records as well as use the white list and black list features which are both global and template specific.

Re:I hope

[KIDputer]

The IIALP log files have a TTL value that auto-expires the logs based on the specifications which are unique for each abuse type. The TTL is specified by the root servers for each template (abuse) type. So they won't end up on a list for a year unless the TTL is 1 yr. And remember it is only a log not a block list, if you choose to block based upon the logs, then that is a separate issue. The TTL may be different if the real-time flag is set on the abuse log entry vs. if the real-time flag is not set. The TTL can be set to a different greater value than the Root IIALP server for a specific abuse type but it cannot be set less than the root server. TTL and other template artifacts are passed down the hiearchy from the Root IIALP servers, to the Subordinate IIALP servers and finally to the Rougue and Subscription Based IIALP servers.

Re:I hope

[KIDputer]

A pre-emptive DDOS protection mechamism needs further work and is in the plan to be implimented soon.

Re:I hope

[KIDputer]

I agree, I do not like blacklisting, blacklisting is a last resort for short-term problems.

Re:I hope

[Bloody+Pulp]

I agree that the Blars RBL is a very high collateral damage list since it lists netblocks and not single IP addresses. Blars maintains the RBL himself and so there are no automated methods of adding or removing IP addresses. It is definitely not a list a service provider should be using for blocking email.

Also, if your "newly-assigned IP" was already on "several dozen" other lists then your service provider probably doesn't have a very strong anti-spam enforcement policy. As well, your service provider probably still has spammers on their network and your IP address might be added to RBL because of those spammers.

It might be a good idea to switch to a provider that isn't listed on so many RBL's and has a stronger anti-spam enforcement policy.

Re:I hope

[NoOneInParticular]

You seem to misunderstand, the grandparent asks if it is necessary that the government needs to put restrictions on "banning free speech", not on "free speech" itself. The way internet abuse is handled currently, it is not unimaginable that in the not so far future you can effectively kick someone of the internet with one anonymous phonecall to a non-accountable agency, with the victim not having any recourse than to switch providers. Rinse, lather, repeat.

However, if your version of "free speech" includes the freedom to prevent speech (such as Comcast is doing), then we're at the end of the discussion I think.

Re:I hope

[wkcole]

And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying.

That is a sure way to legislate that they charge everyone the same price and offer exactly one level of (lousy) service.

Re:I hope

[aardvarkjoe]

My version of free speech includes the freedom to publish a list of IPs -- because I think they are spamming, or for any other reason. That infringes on nobody's right to speech. Unfortunately, most people seem to think that "free speech" means "speech I agree with."

Incidentally, this is seperate from Comcast's right to use their private equipment as they see fit -- which is what blocking ports based on spam reports is.

Re:I hope

[KIDputer]

I know tell them you left your lunch sack too close to your computer keyboard and the bananna fell out and triggered the RETURN key and you acidentally abused the hell out of the 10 million people on the Internet for 10 minutes Tuesday at 4PM. Oops the darn banannas!

I troll slashdot

Should I log myself?

Trolls untied!

Re:I troll slashdot

Iowa Internet Annoyance Logging Protocol
(IIALP) pronounced E'-alp
42342
Status of this Memo

This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Int123423ernet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on November 17, 2004.

Copyright Notice

Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

This draft describes a system by which Internet Annoyances can be
logged quickly and automatically using IIALP (Iowa Internet Annoyance
Logging Protocol). The annoyance logs on a particular IIALP Server
are condensed and forwarded up the IIALP hierarchy to central Root
IIALP Servers for central annoyance queries. Serial numbers and TTL
values keep the individual reports organized and dated. One unique
complaint per IP per epoch period prevents flooding. Differences
in detail and propagation parameters exist between Root and
Subordinate IIALP Servers to allow for more detail to be kept at the
originating IIALP Server. Transmission Echoes, Redundant Handshaking,
and Hierarchy Structure eliminate erroneous reporting. Routers and
software running IIALP can use IIALP to create dynamic black hole
lists for abusing Internet assets exceeding a set limit. IIALP allows
for an infinite number of different types of annoyances to exist but
has concise templates for common annoyances such as SPAM. IIALP
is a centralized logging system for Internet annoyance event
reporting.

Table of Contents

0. Introduction

Annoyance reporting was not a problem in the early years of the
Internet. You simply emailed the ARIN contact for the Autonomous
System (AS) that was annoying you and the system administrator
there would cut of the user and launch an investigation into the
annoyance and provide the abused with an answer on what happened
and what measures were taken to correct the problem.
Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:
Those were the good old days. Now ARIN contact email addresses
are overwhelmed by spam and abuse reporting is more often missed.
A centralized automated system for annoyance reporting, including
spam, is needed to help protect the Internet end user that does not
understand even what an ARIN contact email is.

The answer is to design a protocol engineered to bring tranquility
and accuracy to the chaos of Internet annoyance logging that is
going on today. IIALP is

Iowa??

[EarnestChameleon]

Iowa?

That's a sure way to make sure the standard isn't adopted. (snicker)

Re:Iowa??

[maggeth]

I remember taking the Iowa standardized tests in grade school...

DHCP and MAC

[CaptainPinko]

How will this work with DHCP where the IP address is not constant at all. How about using the MAC address of the card? At least it's something that can't be cheaply replaced (I get a different IP everytime I log on) or at least not by the majourity of people.

Re:DHCP and MAC

[Feyr]

how about the fact that you can't see the MAC address past the first hop? or the other that MAC addresses aren't (and don't need to be) garanteed to be globally unique?

Re:DHCP and MAC

[djh101010]

Yeah, because the MAC address is so hard to change. ifconfig on some systems can do it, and a D-Link router can assume any MAC you'd like it to.

Re:DHCP and MAC

[Space+cowboy]

Your MAC address doesn't make it out onto the internet, AFAIK. The MAC is used to deliver packets on the same ethernet segment.

Simon

Re:DHCP and MAC

[ak_hepcat]

Your MAC address can be spoofed.

It's also only 'guaranteed' unique on the local broadcast segment. In quotes, because somebody could spoof yours and receive all your traffic.

Sure, you could log it. It's just not as secure an identifier as you think it is.

Re:DHCP and MAC

[happyfrogcow]

the bin of $7 ethernet cards at any used computer store seems cheap enough if your in a hurry.

Re:DHCP and MAC

"One unique complaint per IP per epoch period prevents flooding."

Woohoo, another use for my zombie network! Even defeats your MAC scheme... plus btw most new NICs can change MAC easily, requires a reboot at most.

Re:DHCP and MAC

[Guus.der.Kinderen]

In any case, your DHCP assigned IP will be extracted from the same pool of IP's. If tracked, this project might at least pinpoint service providers that don't do enough to prevent abuse.

Re:DHCP and MAC

[JThundley]

MAC addresses are changed simply with one common command.
You aren't a Linux user, are you?
I wrote the command into my startup script ever since my college banned my laptop's MAC address.

Re:DHCP and MAC

[Short+Circuit]

Well, you could implement a method for ISPs to publicly associate IPs with user IDs. I don't think it's a good idea, though, as vigilante action seems too likely.

I mean, sure, so guy A pisses off guy B in a chatroom or online game, so guy B sets his zombies to DDOS guy A's IP. (That's happened to me, as guy A.) Change that to "guy B sets his zombies to DDOS guy A, whatever his IP may become".

And then there's privacy issues, where someone may decide to deal with the problem in person.

Sure, some vigilante actions seems OK. Spammers' getting their names, addresses and phone numbers published comes to mind. But extend that to some jerk who hates you because you got him banned off his favorite server for, say, inappropriate language.

Re:DHCP and MAC

[silas_moeckel]

Gee because all DHCP addresses are allready pretty much listed as suspicious. Beyond that it's so so trivial to change a MAC address on any modern gear.

Re:DHCP and MAC

[Pieroxy]

Yeah, but he still have a point: IPs are much worse that MAC addresses in that regard. Logging IPs to identify anything is a silly idea.

Re:DHCP and MAC

[DAldredge]

And if you knew what you where talking about you would know that the MAC address isn't guranteed to survive the first hop thru a router.

Re:DHCP and MAC

[Theatetus]

Routers don't forward the MAC addresses of the communicating nodes. That's the beauty of a stacked protocol like TCP/IP.

Re:DHCP and MAC

[Kenja]

Not true. IP addresses have to be unique. Not true of Mac addresses.

Re:DHCP and MAC

unless your on dialup...

Re:DHCP and MAC

[Orick]

The basic problem being that MAC and individual IP addresses can be changed on a whim in many networks, how about just a general indicator/record for netblocks?

People could complain about an IP, but have the complaints automatically assigned as knocks against the ARIN the IP falls in.

Core BGP routers could be set to a particular threshold level of complaints, after which they'd drop their routes to that ARIN for a set period of time, in some sort of back-off protocol.

Of course, this doesn't solve the distributed zombie client complaint record generating problem, but I can't be expected to have all the ideas....

Re:DHCP and MAC

[JohnGalt00]

The timestamp of the abuse is recorded in the abuse log. The ISP of the reported abuser can look up who had a given DHCP address at a given time. I think they already have to keep these kinds of logs.

You're right though that reporter probably only has access to the IP of the abuser. If the abuser is a website, you obviously have the domain name. If we're talking about comcast zombies, you'd either need the abuser's ISP's cooperation, or the complaint gets applied to the ISP's entire subnet.

A possible solution would be to have the abuser's ISP cooperate so you could say "I have a complaint with the machine at x.x.x.x, give me a unique ID for them" maybe their ISP username plus the ISP's domain name i.e. johnnyblackhat.comcast.net for them to put in the log. If the abuser's ISP won't help, just report the ISP's subnet and let the ISP's honest customers bitch about the complaints (or leave for a better provider).

An interesting thing about this proposal is that the heirarchical nature helps identify problems, in that problems with a large number of users on an ISP can become problems for the ISP. If each reported abuse inflicted one abuse point on the user, a black hole server could add a virtual tenth of an abuse point to the ISP itself for each reported abuse. Spammer ISPs could be indentified and blocked very quickly.

Re:DHCP and MAC

Updated
The IP addresses if you change your mac address would still fall back on as an IP address from the AS that operates those ips and they hopefully would see it is your port, broadband uses ports in most cases. I would kick you off just for changing your MAC a lot, knowing you must be up to abusive activity.
Also this brings up another issue on the Internet in general by which IP addresses used to be more statically allocated and now some ISP's manage more users than they have abuse staff for so they dynamically allocate them, which in my opinion is a separate problem for abuse as one my obtain a tainted IP address. At the university where I am Net admin you get the same IP from birth to abortion and if you change your MAC you don't get an IP unless you pick another mac that is in the table.

Re:DHCP and MAC

IIALP would need to have a template for Layer 2 abuse.
While IIALP is primarily concerned with Layer 3 abuse, there is no reason Layer 2 abuse could not have templates created.
Once you pop through the first router on the way to the Internet Layer 2 is no longer applicable as an abuse concern and would be more of a patch issue for Cisco.

Re:DHCP and MAC

You don't think I will see the only one idiot changing his MAC every 3 minutes, you would be banned instantly off a secure network.
Plus, most ISPs give you only 1 IP and like Mediacom you cannot change your mac as it uses MAC auth, so you would need to pick a MAC in use already therefore bumping off another user, and setting off layer 2 alarms.
You guys sound like your having too much fun on layer 2.

Re:DHCP and MAC

[Pieroxy]

They have to be unique, but they can be dynamic!!! I don't know of any Mac address that could be dynamic (Well, you can always write a little daemon that changes the Mac address of your router/nic, but you'd have to write it). So in that regard, identifying people by their Mac address makes more sense that by their IP. But I agree that both make a pretty weak identification anyways.

Re:DHCP and MAC

[void*]

While it is true that ethernet addresses don't have to be unique worldwide, only within a broadcast domain, they are supposed to be unique.

The card manufacturers are given prefixes to use in the MAC of cards they make, and are supposed to not manufacture two cards with the same MAC. In practice, it happens, and you can usually just set a MAC address anyway. This is just a bit of trivia, however, in regard to why the MAC cannot be used for this purpose.

The reason the suggestion to use a MAC address won't work is because the MAC address should never leave the broadcast domain. It has nothing to do with whether or not MAC addresses are or should be unique. You're basically saying an effect (The MAC addresses never leaving a broadcast domain allows MAC addresses to, in practice, be duplicated in seperate broadcast domains) with the cause of another effect (The MAC addresses never leaving a broadcast domain means the MAC is unavailable to use in the manner suggested). Two effects, one cause, but you're saying one effect is the cause of the other effect. That's like making a shot in pool, where the cue ball hits two other balls simultaneously, yet the other two balls never contact each other, and saying 'the four ball dropped in the left corner pocket because the three ball dropped in the right corner pocket' - the balls dropped in the pockets they dropped in because the cue ball hit them, not because the other ball fell in the other pocket.

Re:DHCP and MAC

DHCP address really shouldn't jump about. Yes, I know some ISPs like change people's IP address as often as every few hours, but that's stupid. The DHCP protocol even includes steps to try to make sure IP addresses don't change. I've been with RR for over four years and my address changed once and that was due to an announced system wide block address change.

Re:DHCP and MAC

[rfc1394]

How about using the MAC address of the card? At least it's something that can't be cheaply replaced

I have a Linksys wireless router with (4 wired ports) between the computers in my household and our DSL connection. All internet traffic goes through the router; all the computers on the internal network have non-routable 192.168.1.x IP addresses assigned to them by the router using DHCP. I can connect to the router's management interface just as if it were a website by using its default 192.168.1.1 address on this internal network, give the username amd password and I'm in.

There are 7 regular tabs and an orange "advanced" tab. On the 6th tab of the "Advanced" tab is a tab called "Mac Addr. Clone" that if I click on it, it provides a group of boxes where I could enter six two-digit hex numbers, click on the apply button, and the router will present whatever I put in there as its MAC address.

So to change the MAC address I present to the world would take me, oh, 10 seconds. Time cost is negligible, monetary cost is zero.

Re:DHCP and MAC

[Trejkaz]

That would be fantastic. Just like how I was trying to get an important email to someone earlier this week, and the IP blocks of all three of my sending mail servers were all blocked by some indiscriminate anti-spam relay.

Re:DHCP and MAC

Last time I checked, a computer's MAC Address can be easily configured in Windows by going to Connection Properties and looking at the "Advanced" tab. While I'm there I can even set the default speed of the NIC, and sometimes packet sizes and such...

MAC addresses are so easy to change, and each IP packet gets the MAC of the device that forwarded the packet. So no matter what, you won't have a MAC on these packets except for one from your ISP's router, or you own router. At least the IP travels untouched with the packet through the whole trip...

Re:DHCP and MAC

[KIDputer]

I do beleive you are missing the scope of IIALP here. Layer 2 and layer 3 network abuse templates could both be created. Usually layer 2 network abuse is cause by poor administration of the network, but because it concerns you it will be given some more thought as we move forward. IIALP can have an infinite number of abuse template types, for each type of abuse be it Layer 2 or 3. But as the name applies, the Internet is layer 3, so IIALP is primarily a layer 3 tool. Having said that, there is already in the works a template for phone abuse, and abusive phone numbers. There are plans for IM abuse templates which can contain info/stuff from layers 3-7. There is also a template in the works for abusive domain names which are not even in the network stack they just are mapped via DNS to layer 3 IPV4 addresses. The things that get logged are predominately IP addresses but can also be domain names, and phone numbers. There are 2 things at play here, the abuse log template which determines what info is collected and what is passed upstream from the collected information and there can be an infinite number of templates which describe the abuse and its logging format. The other part is the (IAHT) Identifying Asset Holder Type, this specifies the thing that is "owned" on the Internet which is abusing people, such as an IP address, phone number, or domain name, there can also be an infinite number of IAHTs defined as well. The protocol has these 2 open ended features so as not to be obsoleted by IPV6 or Internet 2 etc...

Hmmmmm......

[theJerk242]

a site for the development of a generalized protocol for logging internet annoyances and abuses

I wonder if slashdot will ever use this, for controlling the trolls and ACs?

Re:Hmmmmm......

[WormholeFiend]

I guess your subnet has never been banned wholesale by slashdot before...

that or you're being facetious.

Re:Hmmmmm......

[Brandybuck]

Hell, Slashdot banned my entire class B network...

Re:Hmmmmm......

Get AIDS from a nigger in prison, assface.

This is wierd...

wats odd, is that they have us tagged as a luserish IP :(

Re:This is wierd...

haha modding you up someday

someday

so much effort saving going on, like open source or something in here

what about DHCP

[bdigit]

so what about all the people out there who get their ip from a DHCP server. Someone can be abusive and then within a given time have a new ip and some poor old grandma is now with this lusers old ip is flagged as an internet mischief.

Re:what about DHCP

[Monkelectric]

Yep, adelphia cable seems to base your IP address on your MAC address. If I need to change my IP address I just change my routers MAC address, sometimes my subnet even changes.

Nineth Post!

Nineth Post! Eat it Trolls!

That list'll get long quick

[Neil+Blender]

Our firewalls get port scanned many times daily. Our weblogs are filled with this kind of garbage:
63.189.X.196 - - [12/Jul/2004:16:31:04 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ x

I could probably contribute a thousand IPs from last month alone.

Re:That list'll get long quick

[the_mad_poster]

And they're probably all 14 year old dweebs on a dial up connection that changes IP everytime the idiot gets called by his mother.

This is a stupid idea and, if they're serious, the people who are proposing it are stupid for doing so.

Re:That list'll get long quick

[Janek+Kozicki]

Our firewalls get port scanned many times daily. Our weblogs are filled with this kind of garbage: 63.189.X.196 - - [12/Jul/2004:16:31:04 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ x

yes, I have it too. wtf is that?

Re:That list'll get long quick

What was the point in masking the attacker's IP address?

Thats plain silly. Why are you protecting them?

Re:That list'll get long quick

[Neil+Blender]

[12/Jul/2004:16:31:04 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ x

yes, I have it too. wtf is that?

It's an attempt to exploit an IIS vulnerability.

Re:That list'll get long quick

yes, I have it too. wtf is that?

Looks like script kitties and/or worms that are running a known buffer-overflow to me.

Re:That list'll get long quick

[Neil+Blender]

What was the point in masking the attacker's IP address?

Thats plain silly. Why are you protecting them?

For the same reason this type of thing will never work. This could be coming from a worm or virus on some unsuspecting housewife's laptop. You going to go 'own' them?

Re:That list'll get long quick

No, such a suggestion was never made. However, again, there is zero point in protecting the attacker.

As an example of my lack of that unusual reasoning, I will post the entire IP.

24.174.152.123 - - [11/Jul/2004:13:16:01 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX%u90 90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u6858%ucbd3%u7801%u9090%u9
090%u8190%u00c3%u0003 %u8b00%u531b%u53ff%u0078%u000 0%u00=a HTTP/1.0" 404 272 "-" "-"

Re:That list'll get long quick

[matth]

See if I care.... I believe when you signed the TOS (for most ISPs) you agreed to some clause which said you agree to not let others use your account (except maybe in your immediate family) and you agree to be held responsible for any actions that are done through your account..
correct me if I'm wrong but did that spammer NOT come through your account?
ok thought so.. bye bye housewife you just violated the AUP/TOS.

Re:That list'll get long quick

[mr_rarr]

yes i was also getting this. It's nothing to worry about if you're not using windows. It's the IIS WebDAV exploit.

I added this in my httpd.conf just for fun ...

RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com

Re:That list'll get long quick

[KIDputer]

The port scan and real-time atributed log records IIALP template design is going to be a tricky and meticulous process to design. I guess the best way to put this is if IIALP were in use in lets say, zone alarm version xyz, novice Internet users always say, "what is all that stuff attacking my firewall." "Who are they?" well if Zone alarm was using IIALP, it could append a complaint quantity to the IP so as to show the novice user that this is not your neighbor trying to share files , but it is a malicious machine that has done this bad thing 14,768,953 times in 2 days. Probably has NIMDA or Code RED variants. At least then the guy knows it is not his neighbor and also knows not to let the traffic in because millions of other people have blocked that address as well. Maybe this is not the greatest example, but I personally would like to query AS numbers to find out the most abusive networks and IP addresses to see which companies and countries are failing in their job at network security and perhaps bring the light on the real problem which is a lack of knowledge, tools and $$$ to secure Internet connected networks everywhere.

Re:That list'll get long quick

[Erik+Hollensbe]

You should send them to v4.windowsupdate.microsoft.com :)

yet another standard

[UnderAttack]

There are too many 'incidents exchange', 'intrusion detection', 'log', 'firewall log' standards to count. Many of them IETF drafts. IDMF has a little bit of traction. There is one format the music industry came out with to ease notifications of ISPs....

Do we need yet another "standard", or do we just need ISPs that are actually reading/handling any kind of abuse notice. Some are great about this, but others just route them to /dev/null.

Re:yet another standard

[Carnildo]

The nice thing about standards is that there are so many to choose from.

Re:yet another standard

[Burdell]

Speaking as someone that handles abuse@, I'll say
that anything that standardizes complaint formats is a good thing (as
long as everyone uses it of course). I have written several tools to
automate abuse handling so that I can keep up with it (when "virus of
the week" hits or a spammer signs up with a customer's customer; these
aren't really preventable things), but that is time consuming. I'm
trying to handle (in at least a semi-automatic way) AOL's feedback loop,
SpamCop, DShield, SecurePipe, and myNetWatchman (which is way too many).

Another part of the problem with handling abuse is you can't really do
much spam filtering on abuse@; if you do, you'll filter out
legitimate spam complaints as well. However, since abuse@ is
accepted most everywhere, it gets a ton of spam.

Re:yet another standard

[KIDputer]

IIALP is not an incident exchange format, but INCH is, IIALP is like dshield.org on steroids. The problem is a lot of the exchange attempts are too narrow and fail. dshield.org is great for port scans tracking. IIALP is more infinite because it is based on an infinite set of templates that get created for each new type of abuse, and mostly because it is a protocol not a website.

4/1

[rabel]

The annoyance logs on a particular IIALP Server are condensed and forwarded up the IIALP hierarchy to central Root IIALP Servers for central annoyance queries.

Come on... this is a joke, right? After annoyance queries, we can move on to annoyance mining and then the troll database and the lousy-speller's database with new improved SQL (Soundex Query Language for the spelling-impaired).

Annoyance queries? Pshaw.

Re:4/1

After annoyance queries, we can move on to annoyance mining and then the troll database and the lousy-speller's database

If they ever do an improper capitalization database, I'm all for it. I know one person who never uses capitals and thinks that anyone who can't spell is stupid or lazy.

Cool

[tds67]

Maybe we can also start a website that blacklists Communists, too.

Re:Cool

[KevinKnSC]

Or just define dissenting opinion as an "annoyance", and then this system will cover that, as well.

Re:Cool

Hillary Clinton, Sean Penn, John Kerry...

IOWA IALP

[lintocs]

If I had known the first "I" was for "IOWA", I wouldn't haver clicked through on this one.

Re:IOWA IALP

For what state do you wish was on there? your own maybe, me too. That is why I chose Iowa.

minusm 1, Troll)

how it was supposed performing.' Even fact there won't RRadt's stubborn move any equipment turned over to yet had at lunchtime

Re:minusm 1, Troll)

I sure hope the IP address for goat.cx is added to that list. Man, that was horrible! I'm still in pain just seeing that! (If you've never clicked this link, don't.)

Re:minusm 1, Troll)

You must be new here.

Interesting possibilities

Can I report repeat luser/cheater/lamers from my mud? I bet I'm not the only sysadmin they abuse...

Guess?

[0x54524F4C4C]

Try to guess which high-traffic website is going to be classified as public enemy no.1 due to its sustained absolute lack of respect to low-bandwidth websites by posting sensationalistic stories including links to them, while a *very simple* local caching system could solve easily the problem.

Re:Guess?

[steveb964]

while a *very simple* local caching system could solve easily the problem.

But then it would *hardly* be slashdot then, would it? ;o)

Re:Guess?

Is it Fark?

TVP

Tiny Violin Protocol.

Re:TVP

Textured Vegetable Protocol

127.0.0.1

[MosesJones]

Always appear to have the most crap on it of any system I see, the bugger is always falling over and its never the same site when I look back a few months later.

And why oh why does the owner of this "localhost" system insist on using non-standard ports all the time.

Re:127.0.0.1

Always appear to have the most crap on it of any system I see, the bugger is always falling over and its never the same site when I look back a few months later.

Quantum webhosting.

Once you see the site, the probability wave collapses and the site changes.

- Seth

Re:127.0.0.1

[bitflip]

That's because I keep h4xoring it.

Press release? Where?

Would be cool to see the press release mentioned?

Digging in standard drafts when you aren't involved in them isn't too fun. :-P

Signal to Noise ratio

[Ex+Machina]

I'm browsing the RFC, and it sounds like they're planning on having people's firewalls spit out IIALP messages in response to port scans, etc. In my opinion, this is a really bad idea! Worm activity, someone running a stupid automated scan against an entire class A (whoooops!) by mistake, or a port scan trying to locate a particular machine whose ip has changed (which I have had to do), etc need to be differentiated from actual malicious activities. I can see this being used by overzealous admins to try to drop ALL traffic at the firewall level from anyone *ever* who gets a complaint propagated to them via this. Also, does anyone really expect their STUPID!@!!@ .log TLD proposal to be accepted?!??!! Jeez, everyone knows that this will never go through. Why do people insist on changing DNS, creating namespace pollution or breaking some other protocol (SMTP for a lot of spam "spolutins") for every problem facing the net!

Re:Signal to Noise ratio

[I+confirm+I'm+not+a]

Also, does anyone really expect their STUPID!@!!@ .log TLD proposal to be accepted?!??!!

Totally. We've been waiting since 1990 - 1990! for this, which seemed so great for so long, but sadly never was adopted.

:)

Re:Signal to Noise ratio

[Slash+Privacy+Watch]

I'm browsing the RFC, and it sounds like they're planning on having people's firewalls spit out IIALP messages in response to port scans, etc. In my opinion, this is a really bad idea!

You don't know the half of it. Slashdot actually port scans every computer that posts anonymously looking for proxies. If this protocol went into affect, Slashdot would be at the top of the list, continually proxy scanning the hundreds of anonymous posters it gets per minute. If ISPs implemented it, no one would even be able to route to Slashdot.

Consider the effectiveness of Slashdot's own "excessive bad posting" filter, which (to overcome DHCP) has subnet-banned class C's all over the Internet, blocking hundreds of people from posting.

I'd say that just based on the examples give above, this kind of banlisting would be a false-positive-ridden nightmare scenario.

Re:Signal to Noise ratio

[KIDputer]

Each abuse type has its own templte to minimize false positives. Obviously, the port scanning template will need to be very exact and there will need to be many types of port scan templates. IIALP does not block anything it can be used as another tool for watching your Internet backside.

Is it RFC3514 compliant?

[JPriest]

We already have an RFC for the security flag in the IPv4 header (AKA "Evil Bit").

Re:Is it RFC3514 compliant?

Iowa Internet Annoyance Logging Protocol
(IIALP) pronounced E'-alp

Status of this Memo

This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.This document is an Internet-Draft and is subject to
all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on November 17, 2004.

Copyright Notice

Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

This draft describes a system by which Internet Annoyances can be
logged quickly and automatically using IIALP (Iowa Internet Annoyance
Logging Protocol). The annoyance logs on a particular IIALP Server
are condensed and forwarded up the IIALP hierarchy to central Root
IIALP Servers for central annoyance queries. Serial numbers and TTL
values keep the individual reports organized and dated. One unique
complaint per IP per epoch period prevents flooding. Differences
in detail and propagation parameters exist between Root and
Subordinate IIALP Servers to allow for more detail to be kept at the
originating IIALP Server. Transmission Echoes, Redundant Handshaking,
and Hierarchy Structure eliminate erroneous reporting. Routers and
software running IIALP can use IIALP to create dynamic black hole
lists for abusing Internet assets exceeding a set limit. IIALP allows
for an infinite number of different types of annoyances to exist but
has concise templates for common annoyances such as SPAM. IIALP
is a centralized logging system for Internet annoyance event
reporting.

Table of Contents

0. Introduction

Annoyance reporting was not a problem in the early years of the
Internet. You simply emailed the ARIN contact for the Autonomous
System (AS) that was annoying you and the system administrator
there would cut of the user and launch an investigation into the
annoyance and provide the abused with an answer on what happened
and what measures were taken to correct the problem.
Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:Your comments are welcome, please email your comments to the email address shown below:
Those were the good old days. Now ARIN contact email addresses
are overwhelmed by spam and abuse reporting is more often missed.
A centralized automated system for annoyance reporting, including
spam, is needed to help protect the Internet end user that does not
understand even what an ARIN contact email is.

The answer is to design a protocol engineered to bring tranquility
and accuracy to the chaos of Internet annoyance logging that is
going on today. IIALP is that spec

Re:Is it RFC3514 compliant?

IIALP goes way beyond a packet header as the first thing any good abuse system needs to work well is a datapath for abuse complaints to a root source that can be queried by everyone.

Invasion of Privacy

[SolidiusRock]

Who's to say that spam corps can't get a hold of this? Now they have even more direct access to a list of people. Even if a half a dozen are revolving IPs (which in and of itself can be dangerous to your average "innocent" user), you can still get a few good hits to do your worst.

On a personal note, I feel that it should be carefully reviewed before the internet as a whole adopts this.

This is reckless and dangerous...

...unless they first define and implement the Abuse Logging Abuse Protocol or IIALAP.

Good thing it's not in Kansas.

Oh, it'd still be created, it just wouldn't evolve.

Ah yes...

[Erwos]

Senator McCarthy rises from the grave to bring us his Internet blacklist!

I don't see this going anywhere useful, that's all.

-Erwos

Re:Ah yes...

He's back! And he makes less sense than ever!

"Mrrrarrroow commmmiiieessss."

It's Zombie McCarthy in...

"Better Undead than Red!"

Re:Ah yes...

[KIDputer]

You mean any further than it has already gone....oops it already went further since you posted this.

So its going to be...

..a database of Slashdot users? /. effect beware! :p

YHBT

YHBT, YHL, HAND.

Two words:

[Anixamander]

Evil bit.

My first submission

[IGnatius+T+Foobar]

I would like to submit my first abuse entry. The IP network 131.107.0.0/16 repeatedly pushes onto the Internet a combination of viruses (such as one called "Windows"), spyware (such as one called "Internet Explorer"), and hate speech (particularly against the Linux community).

All network administrators should blackhole this address space.

Banned from the internet!

[obli]

Soon a reality... how exciting...

Re:Banned from the internet!

Remember IIALP does not block anything, it just keeps track.
It also incorporates white and black lists to protect itself.

Fatal flaw in environmental assumption

[bourne]

Having just skimmed the draft, there's a fatal flaw with this solution. To quote:

The idea is that no one person can make a big impact to the Root IIALP Servers but a million people all annoyed by the same SPAM can make a huge impact.

However, they don't seem to address the idea that one person controlling a million drones that send spam today... can control a million drones that submit IIALP reports about, say, cnn.com tomorrow, resulting in an DOS from all the sites that block based on the IIALP lists. They rely upon the reports of end-users, but do not take into account the fact that massive volumes of "end-user" machines are compromised and usable as drones for whatever nefarious uses their 0wner wants.

In short, their anti-spoof assumes individual malicious user endpoint hosts. If the malicious users on the Internet were limited to individual endpoint hosts, we wouldn't need solutions like IIALP!

Re:Fatal flaw in environmental assumption

So use a "real person" validation technique to verify that an actual human being submitted the report. You know, like when you sign up for free email and they require you to tell them what the distorted word in the .jpg is to make sure you're not a script...

Re:Fatal flaw in environmental assumption

[rfc1394]

However [] one person controlling a million drones that send spam today... can control a million drones that submit IIALP reports [] their anti-spoof assumes individual malicious user endpoint hosts. If the malicious users on the Internet were limited to individual endpoint hosts, we wouldn't need solutions like IIALP!

So use a "real person" validation [] like when [] they require you to tell them what the distorted word in the .jpg is

I liked what the first person said and I like your idea of using capchas to prevent fake reports. Of course, there are problems with captchas being fed to people for interpretation (some porno gateways are feeding other people's capchas as blocks for their sites and using the response to feed back to the supplier). There are ways to solve that problem (captcha timeouts, use of random checkboxes instead of text input boxes, etc.)

Re:Fatal flaw in environmental assumption

[bourne]

So use a "real person" validation technique... like when you sign up for free email and they require you to tell them what the distorted word in the .jpg is...

Three problems off the top with that...

1. Capchas don't work for spam, because spammers hook them to "free" porn pages to get people to solve them. Again, if it doesn't work to stop spam today, why would it work to stop the people who want to spam despite IIALP?
2. My mail server blacklists roughly 1000 hosts a day for attempting to send spam to or through it. Are you suggesting that the average user will validate themselves thousands of times a day? I think not. A system like IIALP is predicated on automated analysis of obvious 'attack' trends. If it needs a user, it'll never work (e.g., how many people view, understand, and care about ZoneAlarm popups? Not many).
3. IIALP must include the input of actual infrastructure - mail servers, web servers, routers, firewalls, etc. etc. - in order to help protect said infrastructure. It won't work if it only gets input from end nodes with no services. Such systems, by definition, already have an overworked, underpaid admin who is not going to have time to 'validate' his systems reports.

I have long thought about a system which has some similarities to IIALP, and have thought through some of the pitfalls. A system can be built which is based on the reports of nodes - but only if the nodes have credibility factors, strong encryption and non-repudiation, and the system is designed to cross-check and distrust node reports until throroughly corroborated. It should weight systems according to their uses, and it should have limited scopes (e.g., what's attack info on my network, may not be on yours).

Re:Fatal flaw in environmental assumption

[KIDputer]

Excellent points well taken. DDOS and false reporting are being developed as we speak for IIALP. We are trying to include all simple to impliment and widly accepable methods for authentication and validity checking Its cool that people take the time to point out problems will no doubt help in the refinement of this IIALP work in progress. Keep an eye out the next revisions and please continue to dicect it for flaws. We plan to start an open source project for the server/client raw code. This way it can be in theory implimented for a very reasonable fee after people make it into bloatware .exe's.

Frontpage?

A site about (internet) abuse logging... made in Front Page?
(speechless)

Re:Frontpage?

Who cares? It worked fine in Moz 1.7.1

Maybe they demoronized it first . . .

Hi, quick question

I'm a very experienced Gobolinux user. What's "/dev/null"??

Re:Hi, quick question

Something that anyone with any pretense of understanding Unix should know. If you're just pimping your "different for no good reason" distribution, fuck you and lick dick.

Re:I troll slashdot OFF-Topic Reply -1 -1 -1 -1 -1

[i_r_sensitive]

I think your sig should be:

dyslexic trolls untie!

internet abuse == Verisign?

[Kadmos]

Am I the only one who went to check if verisign was first on the list? :-P

Description wasn't quite right...

[dcmeserve]

He meant:

... abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be DDOS'd all to hell and back by the perpetrators of said annoyances and abuses.

Re:Description wasn't quite right...

[rfc1394]

He meant:

... abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be DDOS'd all to hell and back by the perpetrators of said annoyances and abuses.

This needs to be moderated funny as hell. It unfortunately is quite true...

Re:Description wasn't quite right...

[KIDputer]

If you can still say that 3 months from now I will be surprised. What you are reading right now is the scope of the project, all the mechanisms are not there yet to dispute. DDOS prevention is at the top of the list for requirements for IIALP. IIALP is in the todler stage and has just begun to walk, in three months after we get this this re-tuned by industry experts, you will not even see the kid run by you.

Re:Description wasn't quite right...

[GnarlyNome]

"I'm being NIBBLED to death by CATS!" - L. Mollari
"I'm being NIBBLED to death by Ducks" - cletus Judd

The real motivation for this...

As one poster mentioned, it is because they want a new tld ".log" dedicated to their system.

Please someone squash this and while youare at it, please throw WS-I, XML, SOAP, AOP, UDDI, WDSL into the burlap sack before chucking it in the river.

Everytime you use IIALP, god kills a kitten.

Re:The real motivation for this...

Talking about killing kittens. Some sick bastard did that a few miles from where I live. A woman found the head of one of them on her doorstep with its mother howling in distress. The body of another was found nearby. Oh, if guns were more available in the UK...

We have such a system

Funny, seems to me that Slashdot is exactly the system described.

Isn't this site just a repository of linux users complaining about windows abuses instead of doing anything useful with their lives?

That's all the described system would ever be, all you linux bastards would spend your lives logging imaginary problems with windows systems, preventing any real value arising from the repository.

A shameless plug

[mi]

stories about RBLs that add people, but never remove them.

My State KEeping Milter maintains temporary blocks and automaticly removes even the "permanent" bans, which are not triggered for a specified period of time....

Re:A shameless plug

[KIDputer]

Glad to hear that as I do not favor blacklists and bans and consider any form of Internet blockage as a last resort and temporary measure only to ensure the viability of the particular Internet resource under attack.

Sounds good idea but it had problems...

How can you exactly know if someone isn't lying to you?

Situation can also change when IP gets new owner.

Some kind of web of trust or probabilistic modelling is needed to get good results with
inaccurate,
spoofed,
missing and
wrong information.

They really need this at the iRiver support forum!

Just take a look at the mess going on at their user support forum, it's virtualy owned by a 12year old.

www.iriver.com/community

I know cut & paste sucks.

SPAM is a trademark of Hormel

[alanxyzzy]

SPAM in all upper case is a trademake of Hormel, and refers to their pork luncheon meat product. They request that when the term is used to refer to unsolicited bulk e-mail, it is not capitalised.

IIALP allows for an infinite number of different types of annoyances to exist but has concise templates for common annoyances such as SPAM.

One cannot take entirely seriously anyone proposing a new method of fighting net-abuse, who is not aware of this fact.

Re:SPAM is a trademark of Hormel

[KIDputer]

We will fix it in the next revision, sorry for the misunderstanding. I always write it as SPAM because it is a BIG problem and is a very LOAD way to say it.

Port Scanning is not offensive

[Medievalist]

Port scanning is legitimate, harmless investigative activity (unless it is part of a Denial-of-Service attack, but that applies to all forms of connection anyway - obviously, you can be DOSsed with half-pings or even GRE packets).

Are you going to claim you never have to port-scan in order to solve a problem? C'mon, man, get a grip. Sometimes even end-users have a legitimate need to portscan! Log it and move on, the real bad guys don't stop with a simple port-scan.

Re:Port Scanning is not offensive

[Neil+Blender]

Are you going to claim you never have to port-scan in order to solve a problem?

No. But I have never legitimately port scanned any network other than my own (ie work and home).

Re:Port Scanning is not offensive

[Medievalist]

I have. And I've solved many problems for people by doing so; it's a valid investigative technique, and it's foolish to equate port-scanning with malicious intent.

Look at it this way: All the people that ever attempted to crack your security breathe air. Obviously, punishing people for breathing air makes no sense... just because it's a prerequisite activity to cracking your system does not mean that in and of itself it's a bad thing. Portscanning, same same.

Within the next few hours I will be portscanning two networks; one, a hospital, the other a medical ASV. They have connectivity problems they can't figure out, and I'm going to help them fix them. I don't intend to ask for permission from their IT hierarchy before I portscan them, and I don't expect them to give me any grief about it, because portscanning them will not harm them.