[37779] in North American Network Operators' Group
Re: Stealth Blocking
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu May 24 03:45:58 2001
Message-Id: <200105240530.f4O5U1e30305@foo-bar-baz.cc.vt.edu>
To: David Schwartz <davids@webmaster.com>
Cc: nanog@merit.edu
In-reply-to: Your message of "Wed, 23 May 2001 16:18:12 PDT."
<NCBBLIEPOCNJOAEKBEAKCEAEPEAA.davids@webmaster.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 24 May 2001 01:30:01 -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 23 May 2001 16:18:12 PDT, David Schwartz said:
> ORBS claimed originally to be a list of confirmed open relays, which it
> once was and nobody really complained too much. The problem is, some sites
> began getting complaints about the ORBS probers probing their networks. As a
> result, some large sites (like abovenet) blocked the ORBS probers. ORBS
> countered by blacklisting all of abovenet's address blocks, incuding all of
> their non-multihomed customers. This blacklisted thousands of machines that
> had no open relays.
Well.. half of this is a red herring.
The last time I checked (which was a re-check as I was writing this),
ORBS had different ways of listing "known open relay" and "unable to
check because of a block". Therefore, a carefully worded ORBS query
should result in no blacklisting of "thousands of machines that had no
open relays" (although of course, you would then not get a heads-up from
ORBS regarding an actual open relay in a blocked address block.
It's the site's decision whether it prefers false positives or false negatives.
See http://www.orbs.org/usingindex.html for details... lot of options there.
Flame-fests regarding ORBS probing should be redirected to /dev/null.
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
