All the Perl that's Practical to Extract and Report

Distributed DNS blacklists # 2

MGLEE on 2003-09-25T12:52:22

The best architecture I can think of is using the distributed nature of Usenet to disseminate incremental updates to DNS blacklists using some authenticated structured format. The most appropriate I can think of is signed XML.

This system allows users to access blacklist information anonymously and create local (or regional) blacklist mirrors which are private to a local network (or ISP) or at the least not widely advertised. In any case, if one mirror is taken out, it doesnt affect any of the other mirrors.

The newsgroup would be moderated, trusted maintainers of blacklists given a key with which to create an 'approved' header with their own stamp of trusted approval.

The obvious attacks are post flooding and cancel bots. The former can be defeated with an official cancel bot, the latter by a resurrection bot.

Signing the content of the posts allows users to determine if they trust the assertion that the post content relates to the named blacklist and detect and reject attempts at poisoning the lists.

Its an imperfect solution, but its a start. Ideas ?

Monotone?

johnseq on 2003-10-06T17:40:20

http://www.venge.net/monotone/ is a distributed version control system that includes trust metrics and some PKI that got me thinking. My idea is that you can think of collaborating on a blacklist as a project under version control, one in which you don't necessarily trust everyone else's patches.

It's different from the blacklist-as-single-document-from-a-single-server design -- instead consider a blacklist as instead comprising of a baseline and a set of patches from multiple sources, some of whom you trust, and some of whom you don't. I think you might end up with something like what Cloudmark does for client-side spam filtering, but with more power over who's spam-reporting votes matter to you.

I know there are bootstrap issues regarding the baseline, the document format, etc ... but suspect they are resolvable.

I haven't used monotone, but it just sounds like a cool hack and a neat overlap between several technology domains which do not normally overlap.