Yesterday, some of my colleagues and I attended a talk at Harvard’s Center for Research on Computation and Society. The talk was given by Mike Collins, a network security researcher who currently works at RedJack, and it focused on the limitations of intrusion detection systems as a form of network defense. The primary content of the talk was rather technical and quantitative, but Mike ended with an interesting conclusion: it may be possible to significantly decrease network-based attack traffic (e.g., port scanning, worm spreading, etc.) by blocking incoming access from the IP addresses and subnets that have historically behaved badly. By limiting the blocking to only the top 20 bad IP addresses and relatively few and narrowly-defined subnets, he says, the risk of infection could plummet without causing too many false positives (i.e., blocking legitimate traffic). Even more interesting is a statement he made to the effect that networks with bad behavior often continue to exhibit bad behavior.
If this last statement is accurate, then developing systems to track subnet reputation and apply this information to decision-making could be a viable application of John Palfrey, et. al.’s theory about peer production Internet governance. (PDF) What might this look like and what are some of the issues that would have to be addressed? Here are a few thoughts:
- Does one type of bad behavior on a network (e.g., sending spam) correlate highly to other types of bad behavior (e.g., port scanning or perpetuating the SQL slammer worm)? If not, reputations would have to be developed separately for each type of behavior. (Or, I suppose a decision could be made to broadly punish any one bad behavior by blocking access across the board.)
- If we expect network providers to police their networks to reduce "bad" behavior, how do we balance a desire for hands-off network management (i.e., don’t decide what I can and can’t do online) with a desire for the provider to prevent badness?
- How does reputation change over time? What happens when the owner/operator of a network changes, and the new owner behaves differently than the old?
- What happens when a single IP address or subnet has a lot of bad activity but also a lot of legitimate activity, as in situations where an entire country’s Internet traffic filters out through a small IP space?
This type of question is not new to StopBadware, of course. We and our partners deal with some similar issues in the work we do in publicizing badware websites. In fact, as we expand our Badware Website Clearinghouse, we expect that security researchers, law enforcement, and network providers will be able to use the data as a way to make their own judgments about the reputation of particular sites and network providers. If we ever decide to extend our work into, say, creating a "reputation score" for particular URLs, network blocks, or IP addresses, we’ll have to carefully consider all of these questions.
Isn’t this the model for operations like Spamhaus? I believe its been somewhat effective, but it’s already been responsible for getting legitimate domains blacklisted as you predict in your fourth bullet.
Spammers and other do-badders hide beneath the coat-tails of large service providers that, if blacklisted, would deny services to huge populations. IIRC, this has even happened to giants like AOL.
The problem is that spammers have nothing to lose if they cause a denial of service, and everything to gain if they can fly under the radar at big ISPs.
If ISPs don’t police their user base, won’t they become safe havens for spammers?
Yes, the potential for blacklisting legitimate networks or addresses is significant. The holy grail might be to figure out how to simultaneously reduce false positives and very quickly process appeals for false positives without making it easy for the bad guys to game the system.
Also, are different networks considered differently? For instance, how does a web host compare to an Internet service provider?
I don’t know the extent that each type could be used, but there should be differences in them, and so approaching how to score each type of network could be different, no?
This kind of coincides with your first bullet point.
The historical issue you mentioned in the opening paragraph and the third bullet point is also interesting. Both change in action in the current ownership (or use by clients or third parties), and change to new ownership, could alter the “score.”
Yeah… those are interesting questions that are raised. There aren’t any easy answers for those questions (especially the last one – think Russia).
This can easily be focussed to eliminate or reduce most of the risks.
On the internet, reputation is about 4 minutes long. (No one wants to know what you were doing in 2008 let alone 1998!) So if you block a bad IP address for a specific bad activity (a DOS attack, or spam, or some trojan), release the block after six hours. If the attack resumes, block for eight or ten more. In each case, block for a specific behavior, and for a short period of time. When the behavior stops, the block gets lifted automatically.
Most bad behavior that you can block legitimately is from botnets on residential IP space. Blocking residential or DHCP IP space from contacting your machine is a no brainer. If you want to contact them, make an exception. This is a simple firewall function for home machines.
Likewise spam: most comes from bot-infected residential machines. The three or four people who have set up a well-run mail server on their residential ISP account might have a problem if we blocklist residential machines, but some sacrifice might be necessary.
If a bad actor is controlling a machine (sending out tons of spam, or probing for open ports) why would you want to trust it to have a legitimate service on another port? Why trust your credit card number to a machine you know is controlled by the bad guys?
If a single IP is being used by a small company and includes their web server, and the bad actor is on one of the desktops, well, (a) how can you tell and (b) if the network is poorly run enough to have that sort of misbehavior on one machine, the chances that it will migrate to another machine, including the web server, are great enough to justify blocking the whole thing. Of course, once they do get someone in to fix the problem, I’m saying the block can be lifted automatically within a few hours, minimizing the problem.
In this context, some people worry about a legitimate marketing business that has purchased its own server and pays for its own bandwidth and is developing brand recognition for its domain name. If it goes over the top with its marketing efforts, should it be blocked? First off, legitimate companies who are using their own resources to misbehave are extremely few in number — and don’t last very long. Second, legitimate businesses these days know what the limits are, or soon learn them. If they decide the reputation of their domain name is important, and do their misbehaving with a throwaway domain name they bought yesterday and don’t plan to use ever again, that’s another story. But if they haven’t misbehaved with their primary domain name in a day or two, unblock them and see what happens.
Reputations can go both ways. Let’s encourage legitimate businesses to nurture a good reputation. It will make it easier to spot the new actors with no reputation, and block those who continue to deserve a bad one.