Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet Security Your Rights Online

IIALP - Abuse Logging Protocol 173

George Davey sent us a press release about abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be queried to find out which IPs are luserish.
This discussion has been archived. No new comments can be posted.

IIALP - Abuse Logging Protocol

Comments Filter:
  • by grub ( 11606 ) <slashdot@grub.net> on Tuesday July 13, 2004 @03:31PM (#9690450) Homepage Journal

    which could then be queried to find out which IPs are luserish.

    Interesting: 66.35.250.150 and 66.35.250.151 are the only entries. Truly uncanny AI.
    • by Anonymous Coward
      Great links on this one. I mean there's absolutely nothing there, execept for a couple of guys whose phone numbers are going to get called a hundred times now.

      For some record types the condensed records might be compressed
      in a supported compression format for that template set.
      A template set is a specification set for a template format for
      a full and a condensed record pair.
      Supported compression types will likely be added as new
      technologies arise.

      Encoding is necessary for SPAM
    • Re:that's cool! (Score:5, Informative)

      by strictnein ( 318940 ) * <strictfoo-slashd ... m ['hoo' in gap]> on Tuesday July 13, 2004 @03:36PM (#9690524) Homepage Journal
      Am I missing something? There seems to be absolutely nothing interesting to even look at for this site.

      Web site for the Iowa Internet Annoyance Logging Protocol (IIALP) Working Group.
      IIALP is pronounced: E'-alp.

      A copy of the current IETF "Internet-Draft" which represents a work in progress for IIALP is here:
      http://www.ietf.org/internet-drafts/draft-davey-ii alp-01.txt [ietf.org]

      RTF versions of all the internet-draft work in progress revisions are here::
      http://www.abuselog.org/Documents/00/draft-davey-i ialp-00.rtf [abuselog.org]
      http://www.abuselog.org/Documents/00/draft-davey-i ialp-01.rtf [abuselog.org]

      Next Revision Peak Ahead:
      Working on the sample templates and template root structure

      Your comments are welcome, please email your comments to the email address shown below:
      Make sure to include IIALP first in the subject line followed by the actual subject.
    • We already have an RFC [rfc.net] for the security flag in the IPv4 header (AKA "Evil Bit").
  • I hope (Score:5, Insightful)

    by jb.hl.com ( 782137 ) <<ten.niwdlab-eoj> <ta> <eoj>> on Tuesday July 13, 2004 @03:32PM (#9690466) Homepage Journal
    There's some form of verification.

    In and of itself, this could be very easily abused by, say, people with a grudge who want to essentially get someone else an internet death penalty.
    • of course not. That would be addressed by IIALPALP (abuse logging proto of the abuse logging proto.) It is in the drafts. :)
    • Re:I hope (Score:5, Interesting)

      by MobyDisk ( 75490 ) on Tuesday July 13, 2004 @03:57PM (#9690770) Homepage
      This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

      I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record. (However, if I tell them I went to Windows update and ran a virus scanner they enable my access again. Nevermind that Windows Update doesn't do much on my Linux box. :-) )
      • Wow. That really sucks. If I were Comcast, anybody who asks for port 25 to be opened is either a code jockey type, in which case you should open it, or the world's most brazen spammer, in which case he should be arrested.

        So tell 'em you've upgraded your operating system (true enough) and hopefully whatever typo screwed you in the first place won't happen again.
      • Re:I hope (Score:4, Interesting)

        by jdreed1024 ( 443938 ) on Tuesday July 13, 2004 @04:52PM (#9691271)
        As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

        I recently had Comcast shut down my port 25 access due to spam reports. Of course, they refused to tell me who reported me or what they reported, so even giving them logs of my outgoing port 25 access from a sniffer isn't enough for them to remove the mark from my record.

        And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying. If you have a business account for cable modem service, they'll forward you reports of spam or other abuses (ie: port scanning from your machine), and they'll bend over backwards to help you, and if you say "there is no way this is my machine", they'll actually accept it on the first try and push the complainant to give more details or more proof.
        (yes, I know legislation for that will never work, but it's most unfortunate that end users can get screwed more easily just because they're paying less. I mean, the power company won't ignore your report of a blackout just because you don't keep your lights and A/C on 24 hours a day)

        • And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying

          You're new to the country aren't you? ;)
        • Re:I hope (Score:2, Insightful)

          by wkcole ( 644783 )
          And for starters, we could use some legislation requiring cable companies to treat all customers equally, regardless of how much they're paying.

          That is a sure way to legislate that they charge everyone the same price and offer exactly one level of (lousy) service.

      • Re:I hope (Score:4, Informative)

        by Ayaress ( 662020 ) on Tuesday July 13, 2004 @05:19PM (#9691494) Journal
        My DSL company did something simmilar to me, although it was pure dumbass, and not malice on anybody's part. I'm on a dynamic IP system, so every time I disconnect and then reconnect, I have a different IP. Never causes much problem, since I don't do anything at home that would require me to have a static IP. Anyway, the local police made a big bust on a guy selling child pornography on a webserver in the back room of his office (the guy's a pediatrician). The police got a good couple hundred IP addresses from logs. Most of them were out of their jurisdiction, so they sent them on to somebody else. But a half-dozen or so were right here in town. They go to the ISPs, and try to get the names of the users behind said IPs. My ISP was more than happy to cooperate on something like this, so they had somebody look up the logs and figure out who had such-and-such address at the time stated (it was something like 4 AM on a Teusday). Anyway, it comes up with my name. I had some pretty awkward conversations with police, neighbors, parents, etc for a while until I get a call one day. The dumbass ISP must have entered the wrong search query or something, because as it turned out, that was my IP at 4AM on a Teusday - just a month earlier.
      • Re:I hope (Score:2, Insightful)

        by wkcole ( 644783 )

        This is very important. Slashdot periodically posts stories about RBLs that add people, but never remove them. As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

        There is a pair of ID's on DNSBL technical details [ietf.org]and best practices [ietf.org] which seems to me more than enough. Actual law would be hopelessly unenforced window-dressing (see the millions of spamming zombies around the USA? Every one is a federal felony in pro

      • I think the worst of those RBLs is the Blars [blars.org] one. The guy is a pompous ass who has serious attitude problems. I already had to spend hours getting our newly-assigned IP off of a dozen other lists, and they had fully-automated systems to verify that my system wasn't a spamhouse. He doesn't even accept removal requests without payment! Sounds like a blackmail scheme to me. I basically figured that I shouldn't need to worry about someone like that, but that kind of disregard for the social contracts of the Int

        • I agree that the Blars RBL is a very high collateral damage list since it lists netblocks and not single IP addresses. Blars maintains the RBL himself and so there are no automated methods of adding or removing IP addresses. It is definitely not a list a service provider should be using for blocking email.

          Also, if your "newly-assigned IP" was already on "several dozen" other lists then your service provider probably doesn't have a very strong anti-spam enforcement policy. As well, your service provider pro
      • As horrible as it is to think, I wonder if some sort of legislation (governmental, ICANN, or otherwise) is necessary to keep these systems fair.

        And once again, restriction of free speech in the name of "fairness" rears its ugly head...

        I recently had Comcast shut down my port 25 access due to spam reports.

        The proper thing to do in this case is to stop patronizing Comcast -- or, alternatively, live with it, if it's not that important to you. Telling the government to handle it for you is generally not the

        • Re:I hope (Score:3, Interesting)

          You seem to misunderstand, the grandparent asks if it is necessary that the government needs to put restrictions on "banning free speech", not on "free speech" itself. The way internet abuse is handled currently, it is not unimaginable that in the not so far future you can effectively kick someone of the internet with one anonymous phonecall to a non-accountable agency, with the victim not having any recourse than to switch providers. Rinse, lather, repeat.

          However, if your version of "free speech" include

          • Re:I hope (Score:3, Insightful)

            by aardvarkjoe ( 156801 )
            My version of free speech includes the freedom to publish a list of IPs -- because I think they are spamming, or for any other reason. That infringes on nobody's right to speech. Unfortunately, most people seem to think that "free speech" means "speech I agree with."

            Incidentally, this is seperate from Comcast's right to use their private equipment as they see fit -- which is what blocking ports based on spam reports is.

      • The IIALP log files have a TTL value that auto-expires the logs based on the specifications which are unique for each abuse type. The TTL is specified by the root servers for each template (abuse) type. So they won't end up on a list for a year unless the TTL is 1 yr. And remember it is only a log not a block list, if you choose to block based upon the logs, then that is a separate issue. The TTL may be different if the real-time flag is set on the abuse log entry vs. if the real-time flag is not set. Th
      • A pre-emptive DDOS protection mechamism needs further work and is in the plan to be implimented soon.
      • stories about RBLs that add people, but never remove them.
        My State KEeping Milter [virtual-estates.net] maintains temporary blocks and automaticly removes even the "permanent" bans, which are not triggered for a specified period of time....
    • Re:I hope (Score:4, Interesting)

      by Scoria ( 264473 ) <slashmail AT initialized DOT org> on Tuesday July 13, 2004 @04:03PM (#9690812) Homepage
      Touché. PKI is probably applicable here.

      If this group is merely validating complaints by including only those that have been submitted on many different occasions by unique hosts, then a malevolent individual could hypothetically establish a distributed network of compromised machines - perhaps by deploying an Internet worm - and then submit his false complaint, thus circumventing that precaution.
    • Remember it is a protocol not a law. What you do with it is your resposibility. It will be a great tool to see Internet abuse records without an act of congress needed or without large administrative efforts.
    • I've got a better idea. Why not propose a standard abuse@domain way to report abuses? A human has to look over them anyway, and it's gonna be the ISP, so why should we make up some new scheme to capture the complaints? Just give me an abuse address and a responsive abuse department and I'm fine, thanks.

      I'll take a human with soft skin over a machine that pretends to be smart.

    • Because the IIALP protocol uses templates which are different for each type of abuse, they can be somwhat self verifying. e.g. if you fill in all the blanks and you have permission to submit to the IIALP server you are affiliated with, IIALP only logs it does not block, when you use IIALP to block , YOU would need to verify the validity of the records as well as use the white list and black list features which are both global and template specific.
  • by Anonymous Coward
    Should I log myself?

    Trolls untied!
  • DHCP and MAC (Score:4, Interesting)

    by CaptainPinko ( 753849 ) on Tuesday July 13, 2004 @03:35PM (#9690506)
    How will this work with DHCP where the IP address is not constant at all. How about using the MAC address of the card? At least it's something that can't be cheaply replaced (I get a different IP everytime I log on) or at least not by the majourity of people.
    • Re:DHCP and MAC (Score:5, Informative)

      by Feyr ( 449684 ) * on Tuesday July 13, 2004 @03:38PM (#9690546) Journal
      how about the fact that you can't see the MAC address past the first hop? or the other that MAC addresses aren't (and don't need to be) garanteed to be globally unique?
      • The basic problem being that MAC and individual IP addresses can be changed on a whim in many networks, how about just a general indicator/record for netblocks?

        People could complain about an IP, but have the complaints automatically assigned as knocks against the ARIN the IP falls in.

        Core BGP routers could be set to a particular threshold level of complaints, after which they'd drop their routes to that ARIN for a set period of time, in some sort of back-off protocol.

        Of course, this doesn't solve the dis
        • That would be fantastic. Just like how I was trying to get an important email to someone earlier this week, and the IP blocks of all three of my sending mail servers were all blocked by some indiscriminate anti-spam relay.
    • Re:DHCP and MAC (Score:5, Interesting)

      by djh101010 ( 656795 ) * on Tuesday July 13, 2004 @03:38PM (#9690550) Homepage Journal
      Yeah, because the MAC address is so hard to change. ifconfig on some systems can do it, and a D-Link router can assume any MAC you'd like it to.
      • Yeah, but he still have a point: IPs are much worse that MAC addresses in that regard. Logging IPs to identify anything is a silly idea.
        • Not true. IP addresses have to be unique. Not true of Mac addresses.
          • Re:DHCP and MAC (Score:4, Interesting)

            by Pieroxy ( 222434 ) on Tuesday July 13, 2004 @04:52PM (#9691276) Homepage
            They have to be unique, but they can be dynamic!!! I don't know of any Mac address that could be dynamic (Well, you can always write a little daemon that changes the Mac address of your router/nic, but you'd have to write it). So in that regard, identifying people by their Mac address makes more sense that by their IP. But I agree that both make a pretty weak identification anyways.
          • While it is true that ethernet addresses don't have to be unique worldwide, only within a broadcast domain, they are supposed to be unique.

            The card manufacturers are given prefixes to use in the MAC of cards they make, and are supposed to not manufacture two cards with the same MAC. In practice, it happens, and you can usually just set a MAC address anyway. This is just a bit of trivia, however, in regard to why the MAC cannot be used for this purpose.

            The reason the suggestion to use a MAC address won
    • Your MAC address doesn't make it out onto the internet, AFAIK. The MAC is used to deliver packets on the same ethernet segment.

      Simon
    • Re:DHCP and MAC (Score:3, Informative)

      by ak_hepcat ( 468765 )
      Your MAC address can be spoofed.

      It's also only 'guaranteed' unique on the local broadcast segment. In quotes, because somebody could spoof yours and receive all your traffic.

      Sure, you could log it. It's just not as secure an identifier as you think it is.
    • the bin of $7 ethernet cards at any used computer store seems cheap enough if your in a hurry.
    • In any case, your DHCP assigned IP will be extracted from the same pool of IP's. If tracked, this project might at least pinpoint service providers that don't do enough to prevent abuse.
    • MAC addresses are changed simply with one common command.
      You aren't a Linux user, are you?
      I wrote the command into my startup script ever since my college banned my laptop's MAC address.
    • Well, you could implement a method for ISPs to publicly associate IPs with user IDs. I don't think it's a good idea, though, as vigilante action seems too likely.

      I mean, sure, so guy A pisses off guy B in a chatroom or online game, so guy B sets his zombies to DDOS guy A's IP. (That's happened to me, as guy A.) Change that to "guy B sets his zombies to DDOS guy A, whatever his IP may become".

      And then there's privacy issues, where someone may decide to deal with the problem in person.

      Sure, some vigilant
    • Gee because all DHCP addresses are allready pretty much listed as suspicious. Beyond that it's so so trivial to change a MAC address on any modern gear.
    • Routers don't forward the MAC addresses of the communicating nodes. That's the beauty of a stacked protocol like TCP/IP.

    • The timestamp of the abuse is recorded in the abuse log. The ISP of the reported abuser can look up who had a given DHCP address at a given time. I think they already have to keep these kinds of logs.

      You're right though that reporter probably only has access to the IP of the abuser. If the abuser is a website, you obviously have the domain name. If we're talking about comcast zombies, you'd either need the abuser's ISP's cooperation, or the complaint gets applied to the ISP's entire subnet.

      A possible solu
    • How about using the MAC address of the card? At least it's something that can't be cheaply replaced

      I have a Linksys wireless router with (4 wired ports) between the computers in my household and our DSL connection. All internet traffic goes through the router; all the computers on the internal network have non-routable 192.168.1.x IP addresses assigned to them by the router using DHCP. I can connect to the router's management interface just as if it were a website by using its default 192.168.1.1 addre

    • I do beleive you are missing the scope of IIALP here. Layer 2 and layer 3 network abuse templates could both be created. Usually layer 2 network abuse is cause by poor administration of the network, but because it concerns you it will be given some more thought as we move forward. IIALP can have an infinite number of abuse template types, for each type of abuse be it Layer 2 or 3. But as the name applies, the Internet is layer 3, so IIALP is primarily a layer 3 tool. Having said that, there is already in t
  • a site for the development of a generalized protocol for logging internet annoyances and abuses

    I wonder if slashdot will ever use this, for controlling the trolls and ACs?

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Tuesday July 13, 2004 @03:36PM (#9690522)
    Comment removed based on user account deletion
    • Yep, adelphia cable seems to base your IP address on your MAC address. If I need to change my IP address I just change my routers MAC address, sometimes my subnet even changes.
  • by Neil Blender ( 555885 ) <neilblender@gmail.com> on Tuesday July 13, 2004 @03:37PM (#9690538)
    Our firewalls get port scanned many times daily. Our weblogs are filled with this kind of garbage:
    63.189.X.196 - - [12/Jul/2004:16:31:04 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ x

    I could probably contribute a thousand IPs from last month alone.
    • And they're probably all 14 year old dweebs on a dial up connection that changes IP everytime the idiot gets called by his mother.

      This is a stupid idea and, if they're serious, the people who are proposing it are stupid for doing so.

    • Our firewalls get port scanned many times daily. Our weblogs are filled with this kind of garbage: 63.189.X.196 - - [12/Jul/2004:16:31:04 -0700] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\ x

      yes, I have it too. wtf is that?
    • The port scan and real-time atributed log records IIALP template design is going to be a tricky and meticulous process to design. I guess the best way to put this is if IIALP were in use in lets say, zone alarm version xyz, novice Internet users always say, "what is all that stuff attacking my firewall." "Who are they?" well if Zone alarm was using IIALP, it could append a complaint quantity to the IP so as to show the novice user that this is not your neighbor trying to share files , but it is a malicious
    • Port scanning is legitimate, harmless investigative activity (unless it is part of a Denial-of-Service attack, but that applies to all forms of connection anyway - obviously, you can be DOSsed with half-pings or even GRE packets).

      Are you going to claim you never have to port-scan in order to solve a problem? C'mon, man, get a grip. Sometimes even end-users have a legitimate need to portscan! Log it and move on, the real bad guys don't stop with a simple port-scan.
      • Are you going to claim you never have to port-scan in order to solve a problem?

        No. But I have never legitimately port scanned any network other than my own (ie work and home).
        • I have. And I've solved many problems for people by doing so; it's a valid investigative technique, and it's foolish to equate port-scanning with malicious intent.

          Look at it this way: All the people that ever attempted to crack your security breathe air. Obviously, punishing people for breathing air makes no sense... just because it's a prerequisite activity to cracking your system does not mean that in and of itself it's a bad thing. Portscanning, same same.

          Within the next few hours I will be portsca
  • by UnderAttack ( 311872 ) * on Tuesday July 13, 2004 @03:37PM (#9690543) Homepage
    There are too many 'incidents exchange', 'intrusion detection', 'log', 'firewall log' standards to count. Many of them IETF drafts. IDMF has a little bit of traction. There is one format the music industry came out with to ease notifications of ISPs....

    Do we need yet another "standard", or do we just need ISPs that are actually reading/handling any kind of abuse notice. Some are great about this, but others just route them to /dev/null.

    • The nice thing about standards is that there are so many to choose from.
    • Speaking as someone that handles abuse@, I'll say
      that anything that standardizes complaint formats is a good thing (as
      long as everyone uses it of course). I have written several tools to
      automate abuse handling so that I can keep up with it (when "virus of
      the week" hits or a spammer signs up with a customer's customer; these
      aren't really preventable things), but that is time consuming. I'm
      trying to handle (in at least a semi-automatic way) AOL's feedback loop,
      SpamCop, DShield, SecurePipe, and myNetWatchman
    • IIALP is not an incident exchange format, but INCH is, IIALP is like dshield.org on steroids. The problem is a lot of the exchange attempts are too narrow and fail. dshield.org is great for port scans tracking. IIALP is more infinite because it is based on an infinite set of templates that get created for each new type of abuse, and mostly because it is a protocol not a website.
  • 4/1 (Score:4, Interesting)

    by rabel ( 531545 ) on Tuesday July 13, 2004 @03:38PM (#9690547)
    The annoyance logs on a particular IIALP Server are condensed and forwarded up the IIALP hierarchy to central Root IIALP Servers for central annoyance queries.

    Come on... this is a joke, right? After annoyance queries, we can move on to annoyance mining and then the troll database and the lousy-speller's database with new improved SQL (Soundex Query Language for the spelling-impaired).

    Annoyance queries? Pshaw.
  • IOWA IALP (Score:1, Flamebait)

    by lintocs ( 723324 )
    If I had known the first "I" was for "IOWA", I wouldn't haver clicked through on this one.
  • TVP (Score:4, Funny)

    by Anonymous Coward on Tuesday July 13, 2004 @03:43PM (#9690610)
    Tiny Violin Protocol.
  • 127.0.0.1 (Score:4, Funny)

    by MosesJones ( 55544 ) on Tuesday July 13, 2004 @03:43PM (#9690614) Homepage
    Always appear to have the most crap on it of any system I see, the bugger is always falling over and its never the same site when I look back a few months later.

    And why oh why does the owner of this "localhost" system insist on using non-standard ports all the time.
  • by Ex Machina ( 10710 ) <jonathan.williams @ g m a i l . c om> on Tuesday July 13, 2004 @03:45PM (#9690633) Homepage
    I'm browsing the RFC, and it sounds like they're planning on having people's firewalls spit out IIALP messages in response to port scans, etc. In my opinion, this is a really bad idea! Worm activity, someone running a stupid automated scan against an entire class A (whoooops!) by mistake, or a port scan trying to locate a particular machine whose ip has changed (which I have had to do), etc need to be differentiated from actual malicious activities. I can see this being used by overzealous admins to try to drop ALL traffic at the firewall level from anyone *ever* who gets a complaint propagated to them via this. Also, does anyone really expect their STUPID!@!!@ .log TLD proposal to be accepted?!??!! Jeez, everyone knows that this will never go through. Why do people insist on changing DNS, creating namespace pollution or breaking some other protocol (SMTP for a lot of spam "spolutins") for every problem facing the net!
    • Also, does anyone really expect their STUPID!@!!@ .log TLD proposal to be accepted?!??!!

      Totally. We've been waiting since 1990 - 1990! for this [faqs.org], which seemed so great for so long, but sadly never was adopted.

      :)

    • I'm browsing the RFC, and it sounds like they're planning on having people's firewalls spit out IIALP messages in response to port scans, etc. In my opinion, this is a really bad idea!

      You don't know the half of it. Slashdot actually port scans every computer that posts anonymously looking for proxies. If this protocol went into affect, Slashdot would be at the top of the list, continually proxy scanning the hundreds of anonymous posters it gets per minute [slashdot.org]. If ISPs implemented it, no one would even be able

      • Each abuse type has its own templte to minimize false positives. Obviously, the port scanning template will need to be very exact and there will need to be many types of port scan templates. IIALP does not block anything it can be used as another tool for watching your Internet backside.
  • by Anonymous Coward

    Oh, it'd still be created, it just wouldn't evolve.
  • Senator McCarthy rises from the grave to bring us his Internet blacklist!

    I don't see this going anywhere useful, that's all.

    -Erwos
  • by Anonymous Coward
    ..a database of Slashdot users? /. effect beware! :p
  • Two words: (Score:4, Funny)

    by Anixamander ( 448308 ) on Tuesday July 13, 2004 @04:00PM (#9690790) Journal
    Evil bit.
  • by IGnatius T Foobar ( 4328 ) on Tuesday July 13, 2004 @04:01PM (#9690799) Homepage Journal
    I would like to submit my first abuse entry. The IP network 131.107.0.0/16 repeatedly pushes onto the Internet a combination of viruses (such as one called "Windows"), spyware (such as one called "Internet Explorer"), and hate speech (particularly against the Linux community).

    All network administrators should blackhole this address space.
  • Soon a reality... how exciting...
  • by bourne ( 539955 ) on Tuesday July 13, 2004 @04:02PM (#9690803)

    Having just skimmed the draft, there's a fatal flaw with this solution. To quote:

    The idea is that no one person can make a big impact to the Root IIALP Servers but a million people all annoyed by the same SPAM can make a huge impact.

    However, they don't seem to address the idea that one person controlling a million drones that send spam today... can control a million drones that submit IIALP reports about, say, cnn.com tomorrow, resulting in an DOS from all the sites that block based on the IIALP lists. They rely upon the reports of end-users, but do not take into account the fact that massive volumes of "end-user" machines are compromised and usable as drones for whatever nefarious uses their 0wner wants.

    In short, their anti-spoof assumes individual malicious user endpoint hosts. If the malicious users on the Internet were limited to individual endpoint hosts, we wouldn't need solutions like IIALP!

  • Frontpage? (Score:4, Funny)

    by Anonymous Coward on Tuesday July 13, 2004 @04:17PM (#9690935)
    A site about (internet) abuse logging... made in Front Page?
    (speechless)
  • Am I the only one who went to check if verisign was first on the list? :-P
  • He meant:
    ... abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be DDOS'd all to hell and back by the perpetrators of said annoyances and abuses.
    • He meant:

      ... abuselog.org, a site for the development of a generalized protocol for logging internet annoyances and abuses to a set of central servers, which could then be DDOS'd all to hell and back by the perpetrators of said annoyances and abuses.
      This needs to be moderated funny as hell. It unfortunately is quite true...
  • by alanxyzzy ( 666696 ) on Wednesday July 14, 2004 @06:56AM (#9695347)
    SPAM in all upper case is a trademake of Hormel, and refers to their pork luncheon meat product. They request [spam.com] that when the term is used to refer to unsolicited bulk e-mail, it is not capitalised.

    IIALP allows for an infinite number of different types of annoyances to exist but has concise templates for common annoyances such as SPAM.
    One cannot take entirely seriously anyone proposing a new method of fighting net-abuse, who is not aware of this fact.

You are always doing something marginal when the boss drops by your desk.

Working...