At Thursday 03:39 PM 7/6/00, Valdis.Kletnieks@vt.edu wrote:
The biggest problem is that it's a lot easier to verify that a given site is a spamhaus. Remember that source IP addresses (which is all that your border router sees) are forgeable - making for a nice DOS attack. Forge packets from a competitor's site, get them labelled as a skriptz kiddie site, and BGP-blackholed. --
How about an RFC2644-compliance blacklist? whitelist/blacklist, your choice. Setting up a process to verify compliance to this particular RFC is a daunting task, even for whitelists where network providers actively seek inclusion into such a list. What you do with such a list would be up to you: CAR'ing source packets from networks that are not whitelisted seems like a good idea, just not Cisco CPU-wise. I can think of lots of other RFC-compliance-based white/blacklists, personally, not all of which would require this much effort to verify eligibility. There is none, to my knowledge, as running such lists is not a trivial task in terms of resources and manpower, as the people who run lists like MAPS RBL, RSS, ORBS and others can tell you. One more note on ORBS before my final verdict (after Networkers in Orlando): I have searched extensively for the last few weeks for evidence that something improper was happening as far as announcements and propagation of their routed prefixes goes: nothing hinting to foul play turned up, anywhere.