HTTP proxies, was Re: Operational Issues with

Michael.Dillon at Michael.Dillon at
Mon Dec 9 10:17:24 UTC 2002

> And don't forget about the biggest of them all, open BIND proxies. After
> port 80, port 53 goes through almost as much.  A lot of times you don't
> need to hack anything, software comes with relay/proxy/recursion 
> How do we get software vendors (free, pay, virus) to distribute software
> with appropriate defaults?

Set up the Net Police. 

First step, learn from the RBL and other blacklists.

Second step, publish a directory. I.e. detect the non-conforming devices 
and publish their IP addresses in an LDAP server. 

Third step, use these directories to dynamically configure filters and 
ACLs and blackhole routes.

Fourth step, lean on the vendors to make more things dynamically 
configurable, i.e. make ACL configuration more like route distribution. 
That makes the 3rd step easier and will get more of the corporate 
networking people to police their neighborhoods.

Finally, stop raving about how the net police would be bad. They already 
exist in the form of many disorganized private net police groups like the 
RBL people, spammer blacklists, NANOG mailing list, CIDR report, CERT, 
etc. The point is that policing the network itself and the devices that 
connect to the network is a good thing and should be done in a coordinated 

The purpose of publishing stuff using LDAP is because we are not policing 
people, we are policing machines therefore we need to talk to them in a 
language they can understand, i.e. a network protocol.

And yes, I realize that there are lots of problems with this that need to 
be solved and slippery slopes that we have to be wary of, but that is not 
a reason for not trying.

--Michael Dillon

More information about the NANOG mailing list