North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BL of Compromised Hosts?

  • From: Robert E. Seastrom
  • Date: Sun Feb 22 18:22:58 2004

"Michel Py" <[email protected]> writes:

> There is a regrouping of BGP feeds for various "questionable" hosts and
> networks around AS29467; read
> and
> feel free to contact the authors. 

It behooves the prospective user of said feed to read and understand
draft-py, carefully research the pedigree of the data sources that go
into the soup, and draw his own conclusions - taking as conservative
and discriminating an approach as he deems necessary in terms of what
he accepts.

I anticipate wide variance in the quality of feeds provided, based on
previous conduct of the proposed initial participants.  As the primary
author has said in a private communique, "it's like RBL mailing lists:
there are good and bad ones".  Unfortunately, my reading of draft-py
is that in this case, they're to be rolled up into a single feed,
discernable only by community.  I believe that's a step away from

Wait, you say, filtering routes is easily done by any experienced
user, right?  Well, yes.  Not everyone's an experienced user, though.
My primary concern here is one of education; the danger with a roll-up
feed such as this one is that the default case is to accord equal
credence to every blacklist; the naive end-user would discover that
not only had he signed up for the spiritual equivalent of MAPS
(conservative, responsive, and responsible) but also SPEWS
(hard-to-reach, petty, vindictive, and probably going to list my home
mail server or maybe my whole /24 in retalliation for casting them in
a negative light in a public forum).  Of course, the RBL-consumer will
learn about this when his customers call.  Surprise, surprise,

> The different sources have different but commonly known communities.

... which are undocumented in draft-py itself, and among the URLs
listed in Section 2 for more information, only Team Cymru offers a BGP
community advisory on their web page.  So, I must not be part of the
"in-crowd" to know these "commonly known" communities...