HTTP proxies, was Re: Operational Issues with 69.0.0.0/8...

And don't forget about the biggest of them all, open BIND proxies. After
port 80, port 53 goes through almost as much. A lot of times you don't
need to hack anything, software comes with relay/proxy/recursion

enabled.

How do we get software vendors (free, pay, virus) to distribute software
with appropriate defaults?

Set up the Net Police.

First step, learn from the RBL and other blacklists.

Second step, publish a directory. I.e. detect the non-conforming devices
and publish their IP addresses in an LDAP server.

Third step, use these directories to dynamically configure filters and
ACLs and blackhole routes.

Fourth step, lean on the vendors to make more things dynamically
configurable, i.e. make ACL configuration more like route distribution.
That makes the 3rd step easier and will get more of the corporate
networking people to police their neighborhoods.

Finally, stop raving about how the net police would be bad. They already
exist in the form of many disorganized private net police groups like the
RBL people, spammer blacklists, NANOG mailing list, CIDR report, CERT,
etc. The point is that policing the network itself and the devices that
connect to the network is a good thing and should be done in a coordinated
fashion.

The purpose of publishing stuff using LDAP is because we are not policing
people, we are policing machines therefore we need to talk to them in a
language they can understand, i.e. a network protocol.

And yes, I realize that there are lots of problems with this that need to
be solved and slippery slopes that we have to be wary of, but that is not
a reason for not trying.

--Michael Dillon

"michael" == Michael Dillon <Michael.Dillon@radianz.com> writes:

How do we get software vendors (free, pay, virus) to distribute
software with appropriate defaults?

Second step, publish a directory. I.e. detect the
non-conforming devices and publish their IP addresses in an
LDAP server.

Let me get this straight, you are suggesting that the way to fix the
problem that there are potentially millions of insecure machines
connected to the Internet is to *PUBLISH* the IP addresses of all of
them in an easy to parse format? Cute.

Don't tell me...we'll be able to pull the vulnerability that got the
hosts in the list too, so we can verify that "our" machines are,
indeed, misconfigured? :wink:

baffled,
Michael