What do you want your ISP to block today?

Sun Aug 31 06:34:21 UTC 2003

--On Saturday, August 30, 2003 8:18 PM +0200 Iljitsch van Beijnum 
<iljitsch at muada.com> wrote:

> On zaterdag, aug 30, 2003, at 18:54 Europe/Amsterdam, Owen DeLong wrote:
>
>>> Christopher L. Morrow's mention of asymmetric routing for multihomed
>>> customers is more to the point, but if we can solve this for all those
>>> single homed dial, cable and ADSL end-users and not for multihomed
>>> networks, I'll be very happy.
>
>> I happen to look alot like a single homed ADSL end
>> user at certain levels, but, I'm multihomed.  I'd be very annoyed if
>> my ISP started blocking things just because my traffic pattern didn't
>> look like what they expect from a single homed customer.
>
> I'm sure knife salespeople find it extremely annoying that they can't
> bring their wares along as carry-on when they fly. Sometimes a few people
> have to be inconvenienced for the greater good.
>
In my opinion, this is a very unfortunate attitude largely based on FUD
and myth.  Apologies for the off-topicness of the following example,
but, having just been through this level of greater good, I hope it
will serve some positive purpose if people realize how ridiculous it
gets if you let this go.

Frankly, I think the level of absurdity that the TSA and HSA have taken
things to speaks for itself.  From May 21 of this year until August 1,
certain interpretations of our newfound greater good would have allowed
me to be classified as a terrorist and hauled off to prison.  Why?
Because on May 21, depending on your interpretation of the statutes,
my posession of an until then perfectly legal 2 pounds of black powder
or my posession of an until then perfectly legal Aerotech J-350 Ammonium
Perchlorate Composite Propellant rocket motor reload suddenly changed
from a perfectly legal hobby to an act of terrorism for anyone who did
not posess a Low Explosives User Permit from the USDOJ/BATFE.  What changed
on August 1?  I got my permit (finally) which I applied for in April.

The minor inconvenience involved in doing this consisted of:

	1.	$100 to the feds.
	2.	I had to file an FBI Fingerprint Card with the BATF
		+	$30 to get the fingerprinting done
		+	Took about 3 hours to track down the correct method of
			getting the fingerprinting done and actually have
			it done.  (BATF instructions didn't work and it turned
			into a name-that-bureacracy trip through 5 different
			agencies to find one that would do the fingerprinting
			(no, the FBI will not)).
	3.	Federal Background Check
	4.	Essentially sign away my 4th amendment rights and grant
		the BATFE permission to inspect my home at any time.
	5.	Get a letter of agreement for contingency storage from at
		least one agency with a LEUP and a storage authorization
		(my LEUP is a non-storage LEUP).
	6.	I now need to keep records of all my rocket motor purchases,
		usages, storages, and other dispositions for 10 years.

The greater good accomplished:

	Any nutcase that wants to can still pay cash for all the ammonium
nitrate and diesel fuel he/she wants with no identification required, no
record of the transaction, and no permit required.

	Did I mention that the Oklahoma City Federal building has proven
that AN+Diesel does explode, while the NH state police explosives lab
has proven that APCP DOES NOT EXPLODE.

Sorry... I just don't see a greater good in forcing liability on ISPs
for forwarding IP datagrams with valid headers.

>> But, TCP to a port that isn't listening (or several ports that aren't
>> listening) _ARE_ what you are talking about blocking.  This is not a
>> good idea.
>
> Why not? I think it's a very good idea. TCP doesn't work if you only use
> it in one direction, so blocking this doesn't break anything legitimate,
> but it does stop a whole lot of abuse. (Obviously I'm talking about the
> case where the lack of return traffic can be determined with a modicum of
> reliability.)
>
1.	Your assumption is false.  There are multiple diagnostic things
	that can be accomplished with what appears to be a single-sided
	TCP connection.

2.	I should be able to probe, portscan, or otherwise attack my own
	site from any location on the internet so long as I do not create
	a DOS or AUP violation on someone elses network that I have an
	agreement with.

3.	Fixing the end hosts will stop a lot more abuse than breaking
	the network will.

>>> It should be possible to have a host generate special "return traffic"
>>> that makes sure that stuff that would otherwise be blocked is allowed
>>> through.
>
>> I don't think it's desirable or appropriate to have everyone
>> re-engineer
>> their hosts to allow monitoring and external validation scans to get
>> around your scheme for turning off services ISPs should be providing.
>
> But then you don't seem to have any problems with letting through denial
> of service attacks so I'm not sure if there is any use in even discussing
> this with you. Today, about half of all mail is spam, and it's only
> getting worse. If we do nothing, tomorrow half of all network traffic
> could be worms, scans and DOS. We can't go on sitting on our hands.
>
I don't propose sitting on our hands.  I propose fixing the problem where
the problem is.  What you are proposing makes as much sense as locking up
all the yeast producers to cut down on drunk driving.  Sure, there are
fewer yeast producers than drunk drivers and they're in business, so they're
easier to find.  However, just because it's easier doesn't make it correct
or even logical.  Yes, this is an extreme example, but, other than degree
of separation, I don't see alot of difference in the approaches.

Fixing the edge is harder, but, it will yield better results.  Breaking
the core is easier, but, will yield lots of collateral damage and won't
necessarily do much more than create smarter worms.

Owen