Slashdot Mirror

← Back to Stories (view on slashdot.org)

IIALP - Abuse Logging Protocol

Posted by michael on from the hey-you-kids-get-off-my-lawn dept.

George Davey sent us a press release about abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be queried to find out which IPs are luserish.

33 of 173 comments (clear)

  1. that's cool! by grub · · Score: 5, Funny


    which could then be queried to find out which IPs are luserish.

    Interesting: 66.35.250.150 and 66.35.250.151 are the only entries. Truly uncanny AI.

    --
    Trolling is a art,
    1. Re:that's cool! by strictnein · · Score: 4, Informative

      Am I missing something? There seems to be absolutely nothing interesting to even look at for this site.

      Web site for the Iowa Internet Annoyance Logging Protocol (IIALP) Working Group.
      IIALP is pronounced: E'-alp.

      A copy of the current IETF "Internet-Draft" which represents a work in progress for IIALP is here:
      http://www.ietf.org/internet-drafts/draft-davey-ii alp-01.txt

      RTF versions of all the internet-draft work in progress revisions are here::
      http://www.abuselog.org/Documents/00/draft-davey-i ialp-00.rtf
      http://www.abuselog.org/Documents/00/draft-davey-i ialp-01.rtf

      Next Revision Peak Ahead:
      Working on the sample templates and template root structure

      Your comments are welcome, please email your comments to the email address shown below:
      Make sure to include IIALP first in the subject line followed by the actual subject.

      --
      Casual Games/Downloads
  2. I hope by jb.hl.com · · Score: 5, Insightful

    There's some form of verification.

    In and of itself, this could be very easily abused by, say, people with a grudge who want to essentially get someone else an internet death penalty.

    --
    By summer it was all gone...now shesmovedon. --
    1. Re:I hope by MobyDisk · · Score: 5, Interesting

      This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

      I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record. (However, if I tell them I went to Windows update and ran a virus scanner they enable my access again. Nevermind that Windows Update doesn't do much on my Linux box. :-) )

    2. Re:I hope by Scoria · · Score: 3, Interesting

      Touché. PKI is probably applicable here.

      If this group is merely validating complaints by including only those that have been submitted on many different occasions by unique hosts, then a malevolent individual could hypothetically establish a distributed network of compromised machines - perhaps by deploying an Internet worm - and then submit his false complaint, thus circumventing that precaution.

      --
      Do you like German cars?
    3. Re:I hope by jdreed1024 · · Score: 3, Interesting
      As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

      I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record.

      And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying. If you have a business account for cable modem service, they'll forward you reports of spam or other abuses (ie: port scanning from your machine), and they'll bend over backwards to help you, and if you say "there is no way this is my machine", they'll actually accept it on the first try and push the complainant to give more details or more proof.
      (yes, I know legislation for that will never work, but it's most unfortunate that end users can get screwed more easily just because they're paying less. I mean, the power company won't ignore your report of a blackout just because you don't keep your lights and A/C on 24 hours a day)

      --
      There is no sig, there is only Zuul.
    4. Re:I hope by Ayaress · · Score: 3, Informative

      My DSL company did something simmilar to me, although it was pure dumbass, and not malice on anybody's part. I'm on a dynamic IP system, so every time I disconnect and then reconnect, I have a different IP. Never causes much problem, since I don't do anything at home that would require me to have a static IP. Anyway, the local police made a big bust on a guy selling child pornography on a webserver in the back room of his office (the guy's a pediatrician). The police got a good couple hundred IP addresses from logs. Most of them were out of their jurisdiction, so they sent them on to somebody else. But a half-dozen or so were right here in town. They go to the ISPs, and try to get the names of the users behind said IPs. My ISP was more than happy to cooperate on something like this, so they had somebody look up the logs and figure out who had such-and-such address at the time stated (it was something like 4 AM on a Teusday). Anyway, it comes up with my name. I had some pretty awkward conversations with police, neighbors, parents, etc for a while until I get a call one day. The dumbass ISP must have entered the wrong search query or something, because as it turned out, that was my IP at 4AM on a Teusday - just a month earlier.

    5. Re:I hope by wkcole · · Score: 2, Insightful
      This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

      There is a pair of ID's on DNSBL technical details and best practices which seems to me more than enough. Actual law would be hopelessly unenforced window-dressing (see the millions of spamming zombies around the USA? Every one is a federal felony in progress. Where's Johnny Ashcroft on that crime???) or (worse) an excuse for the worst elements of law enforcement(see above)to selectively harrass people who are really only engaging in free speech and protection of private property. Blacklists don't block mail, people using blacklists block mail. No one is forced to use any blacklist with a mail system they own or to buy services from a mail system that uses any specific blacklist. If you don't like the way your mail provider does spam filtering, find another provider or run your own mail.

      I recently had Comcast shut down my port 25 access due to spam reports.

      That's interesting, because Comcast claims that they recently cut off port 25 to ALL of their residential customers. That's for the best, given that they were completely unwilling to actually police their network for misuse in any serious and specific way. Are you sure you were not just part of that blanket closure?

    6. Re:I hope by NoOneInParticular · · Score: 2, Interesting
      You seem to misunderstand, the grandparent asks if it is necessary that the government needs to put restrictions on "banning free speech", not on "free speech" itself. The way internet abuse is handled currently, it is not unimaginable that in the not so far future you can effectively kick someone of the internet with one anonymous phonecall to a non-accountable agency, with the victim not having any recourse than to switch providers. Rinse, lather, repeat.

      However, if your version of "free speech" includes the freedom to prevent speech (such as Comcast is doing), then we're at the end of the discussion I think.

    7. Re:I hope by wkcole · · Score: 2, Insightful
      And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying.

      That is a sure way to legislate that they charge everyone the same price and offer exactly one level of (lousy) service.

    8. Re:I hope by aardvarkjoe · · Score: 2, Insightful
      My version of free speech includes the freedom to publish a list of IPs -- because I think they are spamming, or for any other reason. That infringes on nobody's right to speech. Unfortunately, most people seem to think that "free speech" means "speech I agree with."

      Incidentally, this is seperate from Comcast's right to use their private equipment as they see fit -- which is what blocking ports based on spam reports is.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  3. DHCP and MAC by CaptainPinko · · Score: 4, Interesting

    How will this work with DHCP where the IP address is not constant at all. How about using the MAC address of the card? At least it's something that can't be cheaply replaced (I get a different IP everytime I log on) or at least not by the majourity of people.

    --
    Your CPU is not doing anything else, at least do something.
    1. Re:DHCP and MAC by Feyr · · Score: 4, Informative

      how about the fact that you can't see the MAC address past the first hop? or the other that MAC addresses aren't (and don't need to be) garanteed to be globally unique?

    2. Re:DHCP and MAC by djh101010 · · Score: 5, Interesting

      Yeah, because the MAC address is so hard to change. ifconfig on some systems can do it, and a D-Link router can assume any MAC you'd like it to.

    3. Re:DHCP and MAC by ak_hepcat · · Score: 3, Informative

      Your MAC address can be spoofed.

      It's also only 'guaranteed' unique on the local broadcast segment. In quotes, because somebody could spoof yours and receive all your traffic.

      Sure, you could log it. It's just not as secure an identifier as you think it is.

      --
      Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
    4. Re:DHCP and MAC by Guus.der.Kinderen · · Score: 2, Informative

      In any case, your DHCP assigned IP will be extracted from the same pool of IP's. If tracked, this project might at least pinpoint service providers that don't do enough to prevent abuse.

    5. Re:DHCP and MAC by Pieroxy · · Score: 3, Interesting

      They have to be unique, but they can be dynamic!!! I don't know of any Mac address that could be dynamic (Well, you can always write a little daemon that changes the Mac address of your router/nic, but you'd have to write it). So in that regard, identifying people by their Mac address makes more sense that by their IP. But I agree that both make a pretty weak identification anyways.

      --
      Write boring code, not shiny code!
  4. what about DHCP by bdigit · · Score: 3, Insightful

    so what about all the people out there who get their ip from a DHCP server. Someone can be abusive and then within a given time have a new ip and some poor old grandma is now with this lusers old ip is flagged as an internet mischief.

  5. That list'll get long quick by Neil+Blender · · Score: 4, Interesting

    Our firewalls get port scanned many times daily. Our weblogs are filled with this kind of garbage:
    63.189.X.196 - - [12/Jul/2004:16:31:04 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ x

    I could probably contribute a thousand IPs from last month alone.

    1. Re:That list'll get long quick by mr_rarr · · Score: 2, Informative

      yes i was also getting this. It's nothing to worry about if you're not using windows. It's the IIS WebDAV exploit.

      I added this in my httpd.conf just for fun ...

      RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com

  6. yet another standard by UnderAttack · · Score: 4, Insightful

    There are too many 'incidents exchange', 'intrusion detection', 'log', 'firewall log' standards to count. Many of them IETF drafts. IDMF has a little bit of traction. There is one format the music industry came out with to ease notifications of ISPs....

    Do we need yet another "standard", or do we just need ISPs that are actually reading/handling any kind of abuse notice. Some are great about this, but others just route them to /dev/null.

    --
    ---- join dshield.org Distributed Intrusion Detec
  7. 4/1 by rabel · · Score: 4, Interesting

    The annoyance logs on a particular IIALP Server are condensed and forwarded up the IIALP hierarchy to central Root IIALP Servers for central annoyance queries.

    Come on... this is a joke, right? After annoyance queries, we can move on to annoyance mining and then the troll database and the lousy-speller's database with new improved SQL (Soundex Query Language for the spelling-impaired).

    Annoyance queries? Pshaw.

  8. TVP by Anonymous Coward · · Score: 4, Funny

    Tiny Violin Protocol.

  9. 127.0.0.1 by MosesJones · · Score: 3, Funny

    Always appear to have the most crap on it of any system I see, the bugger is always falling over and its never the same site when I look back a few months later.

    And why oh why does the owner of this "localhost" system insist on using non-standard ports all the time.

    --
    An Eye for an Eye will make the whole world blind - Gandhi
  10. Signal to Noise ratio by Ex+Machina · · Score: 4, Insightful

    I'm browsing the RFC, and it sounds like they're planning on having people's firewalls spit out IIALP messages in response to port scans, etc. In my opinion, this is a really bad idea! Worm activity, someone running a stupid automated scan against an entire class A (whoooops!) by mistake, or a port scan trying to locate a particular machine whose ip has changed (which I have had to do), etc need to be differentiated from actual malicious activities. I can see this being used by overzealous admins to try to drop ALL traffic at the firewall level from anyone *ever* who gets a complaint propagated to them via this. Also, does anyone really expect their STUPID!@!!@ .log TLD proposal to be accepted?!??!! Jeez, everyone knows that this will never go through. Why do people insist on changing DNS, creating namespace pollution or breaking some other protocol (SMTP for a lot of spam "spolutins") for every problem facing the net!

  11. Is it RFC3514 compliant? by JPriest · · Score: 3, Funny

    We already have an RFC for the security flag in the IPv4 header (AKA "Evil Bit").

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  12. Re:Guess? by steveb964 · · Score: 2, Funny

    while a *very simple* local caching system could solve easily the problem.

    But then it would *hardly* be slashdot then, would it? ;o)

  13. Two words: by Anixamander · · Score: 3, Funny

    Evil bit.

    --
    Do not taunt Happy Fun Ball(TM)
  14. My first submission by IGnatius+T+Foobar · · Score: 2, Funny

    I would like to submit my first abuse entry. The IP network 131.107.0.0/16 repeatedly pushes onto the Internet a combination of viruses (such as one called "Windows"), spyware (such as one called "Internet Explorer"), and hate speech (particularly against the Linux community).

    All network administrators should blackhole this address space.

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
  15. Fatal flaw in environmental assumption by bourne · · Score: 5, Insightful

    Having just skimmed the draft, there's a fatal flaw with this solution. To quote:

    The idea is that no one person can make a big impact to the Root IIALP Servers but a million people all annoyed by the same SPAM can make a huge impact.

    However, they don't seem to address the idea that one person controlling a million drones that send spam today... can control a million drones that submit IIALP reports about, say, cnn.com tomorrow, resulting in an DOS from all the sites that block based on the IIALP lists. They rely upon the reports of end-users, but do not take into account the fact that massive volumes of "end-user" machines are compromised and usable as drones for whatever nefarious uses their 0wner wants.

    In short, their anti-spoof assumes individual malicious user endpoint hosts. If the malicious users on the Internet were limited to individual endpoint hosts, we wouldn't need solutions like IIALP!

    1. Re:Fatal flaw in environmental assumption by bourne · · Score: 2, Interesting

      So use a "real person" validation technique... like when you sign up for free email and they require you to tell them what the distorted word in the .jpg is...

      Three problems off the top with that...

      1. Capchas don't work for spam, because spammers hook them to "free" porn pages to get people to solve them. Again, if it doesn't work to stop spam today, why would it work to stop the people who want to spam despite IIALP?
      2. My mail server blacklists roughly 1000 hosts a day for attempting to send spam to or through it. Are you suggesting that the average user will validate themselves thousands of times a day? I think not. A system like IIALP is predicated on automated analysis of obvious 'attack' trends. If it needs a user, it'll never work (e.g., how many people view, understand, and care about ZoneAlarm popups? Not many).
      3. IIALP must include the input of actual infrastructure - mail servers, web servers, routers, firewalls, etc. etc. - in order to help protect said infrastructure. It won't work if it only gets input from end nodes with no services. Such systems, by definition, already have an overworked, underpaid admin who is not going to have time to 'validate' his systems reports.

      I have long thought about a system which has some similarities to IIALP, and have thought through some of the pitfalls. A system can be built which is based on the reports of nodes - but only if the nodes have credibility factors, strong encryption and non-repudiation, and the system is designed to cross-check and distrust node reports until throroughly corroborated. It should weight systems according to their uses, and it should have limited scopes (e.g., what's attack info on my network, may not be on yours).

  16. Frontpage? by Anonymous Coward · · Score: 4, Funny

    A site about (internet) abuse logging... made in Front Page?
    (speechless)

  17. SPAM is a trademark of Hormel by alanxyzzy · · Score: 3, Informative
    SPAM in all upper case is a trademake of Hormel, and refers to their pork luncheon meat product. They request that when the term is used to refer to unsolicited bulk e-mail, it is not capitalised.

    IIALP allows for an infinite number of different types of annoyances to exist but has concise templates for common annoyances such as SPAM.
    One cannot take entirely seriously anyone proposing a new method of fighting net-abuse, who is not aware of this fact.