And don't forget about the biggest of them all, open BIND proxies. After port 80, port 53 goes through almost as much. A lot of times you don't need to hack anything, software comes with relay/proxy/recursion enabled. How do we get software vendors (free, pay, virus) to distribute software with appropriate defaults?
Set up the Net Police. First step, learn from the RBL and other blacklists. Second step, publish a directory. I.e. detect the non-conforming devices and publish their IP addresses in an LDAP server. Third step, use these directories to dynamically configure filters and ACLs and blackhole routes. Fourth step, lean on the vendors to make more things dynamically configurable, i.e. make ACL configuration more like route distribution. That makes the 3rd step easier and will get more of the corporate networking people to police their neighborhoods. Finally, stop raving about how the net police would be bad. They already exist in the form of many disorganized private net police groups like the RBL people, spammer blacklists, NANOG mailing list, CIDR report, CERT, etc. The point is that policing the network itself and the devices that connect to the network is a good thing and should be done in a coordinated fashion. The purpose of publishing stuff using LDAP is because we are not policing people, we are policing machines therefore we need to talk to them in a language they can understand, i.e. a network protocol. And yes, I realize that there are lots of problems with this that need to be solved and slippery slopes that we have to be wary of, but that is not a reason for not trying. --Michael Dillon