[105858] in North American Network Operators' Group
Re: a business opportunity?
daemon@ATHENA.MIT.EDU (Eric Brunner-Williams)
Sun Jul 6 00:38:24 2008
Date: Sat, 05 Jul 2008 21:37:18 -0700
From: Eric Brunner-Williams <brunner@nic-naa.net>
To: Paul Vixie <vixie@isc.org>
In-Reply-To: <19988.1215296731@nsa.vix.com>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
paul,
in another universe, the inhabitants are attempting to find some policy
for dealing with what i'll call a temporally inconsistent name to
address mapping, at a single, and also a second level of indirection. of
course, just about everything that's ever been written (and re-written)
on nanog about reputation and partition, whether w.r.t. port 25, or
ports 53 and 80, appears to me to be relevant in this other universe.
eric
Paul Vixie wrote:
>> The real solution to the scorched earth problem is for aging from
>> blacklists to be dynamic.
>>
>
> if we were designing a full internet system with reputation as a feature,
> then no doubt it would be like you're describing. however, reputation
> systems are a private action by private right of action and each one will
> have its own cost:benefit considerations. this means while it might be a
> good design overall, blacklist aging has to be in the interests of
> particular blacklist operators and subscribers, or it won't happen. it
> generally does not happen, since it costs more value than it produces from
> the point of view of a given blacklist operator or subscriber.
>
> i think there's an argument to be made that this is inevitable. every time
> any ISP has enforced any kind of numerical limits on abuse by one of its
> customers (like first hit's free, three strikes and you're out, and so on)
> the abusers have either rotated through providers or through identities
> fast enough to make their business run in spite of the limits, or they have
> merely counted these slaps on the wrist as part of the cost of doing
> business. this means if blacklist entries all aged out, then abusers and
> their ISPs would simply rotate through a long chain of address blocks, and
> we'd see a lot of address space consumed on the "waiting for reprieve" list
> but it would not change the overall abuse growth rate at all.
>
> that's not in the interests of individual blacklist operators or subscribers,
> who want to control abuse growth rate.
>
>
>> There's been some work done @ SRI on using a weighting algorithm that
>> includes things like prevalence, persistence, and "badness", with a
>> Gaussian decay function as to time, to establish cut levels for what
>> should be blocked.=20
>>
>> Look at Phil Porras work, and Usenix presentations.
>>
>
> can you tell me, before i invest my own time in it, whether this work
> accounts for the inevitable rebalancing and planning adjustments that the
> abusers will make if each proposed policy were rolled out? i fear that
> most studies in this area treat abuse like it was a natural phenomena and
> not the self-organized well-motivated thievery that it is. abusers aren't
> going to sit still while we wrap them in a gaussian decay function.
>
>
>
