So, I saw this update over at the SANS Internet Storm Center, and it pushed a button. Well, I should say it was nothing Rob VanderBrink did that set me off, but this "Reputation Filtering" feature he discussed. Does this sound familiar to anyone?
Years ago I used to run the network for a small industry association, and we started having trouble delivering email. After a little research I found out we had were appearing in one of the dozens of DNSBLs that were in heavy use. A little more digging, and I finally found out that it was not us that was actually blacklisted- it was our entire ISP! Apparently the person who ran this particular blacklist decided to blacklist the entire ISP because "they allowed their customers to send spam." They weren't doing enough to prevent it.
This raises a couple points. First and foremost, I was torn. Even though I relied on DNSBLs to protect my company from spam, I was trying to figure out how to get off of one of these lists. What I found was that anyone who wants to create a blacklist can, and they can run them any way they want. Oh joy!! Talk about the wild west. This is really a terrible example of having anyone out there serve as judge, jury, and executioner. While Wyatt Earp and the baddies shoot it out at the OK Corral, the rest of us have to dodge bullets whizzing by our heads.
Worse yet though, what purpose does this "reputation filtering" really serve? Most IPSs have the capability to respond to a detected attack by blocking an IP address for a short period of time. Most of these do so by inspecting actual traffic, and then making a decision about whether the traffic is malicious or not. However, reputation filtering is going to help you, for extended periods, blacklist IP addresses. Is there a problem with that? Well . . .
- IP addresses are not reliable identifiers. If I am the attacker on a cable/FiOS connection and my IP address changes suddenly I'm able to send malicious traffic, but the person who gets my old IP address is not.
- If I'm an attacker I can just spoof my IP address. It's 2010, haven't we figured this out by now?
- If I'm a botted machine on a corporate network behind NAT, then you may end up blocking me and the other 200 machines with the same NATted IP address.
It was one thing when we relied on this sort of thing for spam protection. It was less disastrous because it was applied at a higher layer technology. With reputation filtering we're blocking packets- we're right down at the network layer. The potential for problems is much higher. Moreover, it seems less effective than the technologies we're already using which actually look at the traffic to determine whether it's allowable or not. What problem were they actually trying to solve?