[BlueOnyx:16375] IP reputation service - an off the wall idea (fwd)

[George F. Nemeyer]

The following was recently tossed out to a pretty good sized, and well
connected, group of admin and engineering folks dealing with spam issues.
The intent is to spread an IP reputation scheme similar to that used by
some major spam-blocking services into something that can combat abusive
sites in general.  Hopefully, it can dovetail into what is being
considered for BX security, especially for sharing data among BX boxes and
users.

-------- Forwarded message ----------

I expect this has been thought of before, but I've not heard of any
serious discussion about such a scheme...

Currently, most every site maintains some IP firewalling, hosts.deny
files, or other blocking of IP's they've found abusive or unwanted for
their own set of reasons and criteria.  And many of us rely on SpamHaus
for front line mail protection.

SpamHaus is a trusted source of simple DNS-based reputation regarding
email.  Due to having a wide network of inputs, it catches most spammer
operations fairly quickly, and chronic ones are documented.  The lookup
mechanism is a simple DNS-based mechanism and allows for the end user to
decide how to interpret the responses (i.e. allow mail or not).

What if there was a similar database lookup for abusive sites...those
doing port scans, dictionary attacks, and other sorts of probing and
intrusion attempts in general?  This database would be derived from
world-wide input and thus take advantage of a 'many-eyes' look rather than
just an end-network's own limited view.

Before *ANY* connection was allowed (perhaps on a service-by-service
basis), the IP would be queried and the return would include some scoring
factor which would allow an automated decision whether or not to continue
and allow a connection to whatever service was being requested.

Ideally, this would be a part of the DNS functioning itself, though, being
a distributed system, more complex scheme would be needed to implement in
a manner compatible with existing DNS functioning infrastructure.

However, if it were SpamHaus like, allowing individual sites to optionally
and selectively query a trusted service, it could exist independently from
existing DNS.

The trusted service would, as SpamHaus does, take inputs from the
worldwide network to catch malicious IPs early enough to thwart them being
used for widespread (or at least long-term) exploitation.  To prevent
poisoning of the data, the reputation sources would also have to be highly
trusted with a network of (likely automated) honeypots.

Bad IPs could be removed after some time for 'momentary' exploits, while
more chronic ones could require the netblock owner's action along with
some proof the problem has been eliminated.

Response codes, like for mail, could have a range that indicates either
level of trust, or perhaps, indications of the kinds of exploits the IP is
known to have launched/attempted.  For example, NXDOMAIN=no data,
.0=listed before, but now presumed clean, .1=dictionary login attacks,
.2=FTP attacks, .3=website exploits, etc.

Such a scheme would be a way to give early-warning signs to netblock
owners that they have problem children that need attention.  An end user's
ability to affect any change is limited, simply because a hosting provider
dosen't really *care* if some end site blocks some IPs.  If it's the
*world* refusing to allow connections, a lot more careful attention would
be paid in keeping clean.

This would certainly increase the amount of DNS-ish related traffic, but
compared to the volume of TCP traffic generated by constant abusive
pounding on networks that's accepted and dealt with by hundreds of
thousands of individual end sites, having a front-line defense where the
door would be shut quickly, the result would surely be a 'quieter'
Internet overall.