Stealth Blocking

Valdis.Kletnieks at Valdis.Kletnieks at
Thu May 24 05:30:01 UTC 2001

On Wed, 23 May 2001 16:18:12 PDT, David Schwartz said:
> 	ORBS claimed originally to be a list of confirmed open relays, which it
> once was and nobody really complained too much. The problem is, some sites
> began getting complaints about the ORBS probers probing their networks. As a
> result, some large sites (like abovenet) blocked the ORBS probers. ORBS
> countered by blacklisting all of abovenet's address blocks, incuding all of
> their non-multihomed customers. This blacklisted thousands of machines that
> had no open relays.

Well.. half of this is a red herring.

The last time I checked (which was a re-check as I was writing this),
ORBS had different ways of listing "known open relay" and "unable to
check because of a block".  Therefore, a carefully worded ORBS query
should result in no blacklisting of "thousands of machines that had no
open relays" (although of course, you would then not get a heads-up from
ORBS regarding an actual open relay in a blocked address block.

It's the site's decision whether it prefers false positives or false negatives.

See for details... lot of options there.

Flame-fests regarding ORBS probing should be redirected to /dev/null.

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

More information about the NANOG mailing list