Thoughts & questions about responsibility for network traffic

Sun Dec 2 15:29:17 PST 2001

begin David Wolfskill quotation:

> As those who have seen some of my ramblings & rants regarding email &
> spam may recall, I tend to be borderline fascist (phrased charitably)
> with respect to tolerance of obvious intent to abuse services such as
> email.

You say that as if it might be A Bad Thing.  When I allude to
jackboot-enabling technologies like Derek J. Balling's
http://www.rfc-ignorant.org/ and your methods, it tends to be with a
heartfelt sense of admiration and fellow-feeling.

[examples of apparent port-scanning for ssh vulnerabilities]

> The first 4 entries were all from the same netblock (2 addresses).
> Yesterday, I sent a message to the listed WHOIS contact for that
> netblock, explaining that I had no reason to believe that any harm had
> come of this, but on the other hand, there was no legitimate reason for
> the attempt, either, and it was quite unwelcome.  I further mentioned
> that the attempt may indicate that one or more systems on the netblock
> were compromised.
> 
> I received a bounce-o-gram for my efforts.
>
> This morning, I sent a message off to the listed WHOIS (RIPE) contact
> for the 3rd pair of probes, with similar content.  I (also) received a
> bounce-o-gram in response to that message.

I hear your point.  Port-scanning of all sorts is so incredibly
ubiquitous that trying to chase it down seems like a herculean task,
but having valid WHOIS contact info seems like a minimal requirement for
netblock ownership.

> So at this point, I'm wondering if it might be appropriate to consider
> blocking access from the netblocks in question -- not just to the SMTP
> server, but at the firewall, with an ICMP "administratively prohibited"
> response.  It may reasonably be considered that this is a rather extreme
> response; on the other hand, I believe that we need a bit more
> responsibility in the Internet.

Here's one way to try to analyse the matter:  Hypothetically, suppose
someone else in my netblock (a non-portable block owned by Tsoft, Inc.
of Berkeley) did some bits of nastiness to your machines, you tried to
write the netblock's "coordinator" e-mail address, got bounced, and
blocked my netblock in your firewall.  Not knowing this, I try to
connect to some service you offer on your box, and the connection fails.
Will I be able to figure out why?  If I happen to try ping, I get:

   ICMP Destination Unreachable (Communication Administratively
   Prohibited)  198.144.195.18 6 -> [number]

Maybe I have to look that up in RFC 1812, maybe not.

I might not be enterprising enough to dig out ping and remember what the
diagnostic means; maybe the failed SMTP delivery, HTTP connection, etc.
looks to me just like a down server, and I don't investigate further.  
If I _do_ figure it out, I probably write to postmaster@[ip], hear your
explanation, and light a fire under Tsoft and/or change bandwidth
providers.  But I'll bet few users will go that far.

Is this a problem for the affected users?  Possibly.  For you?  Well,
that's entirely a matter of perspective and opinion.  My point is that, 
if you're envisioning this as one of the building blocks of retrofitting
needed consequences into the modern Internet -- fixing responsibility
back where it belongs -- the feedback mechanism may not work very well.

- 
Cheers,     "Learning Java has been a slow and tortuous process for me.  Every 
Rick Moen   few minutes, I start screaming 'No, you fools!' and have to go
rick at linuxmafia.com       read something from _Structure and Interpretation of
            Computer Programs_ to de-stress."   -- The Cube, www.forum3000.org