The limits of mob-style takedowns

It is interesting to observe the dynamics of the interactions on the Internet. In the last couple of years several hosting (RBN, McColo and so on) organizations have been taken down by “denouncing them to the masses”. The usual flow of events was:

  • Evidence was gathered against them
  • The media “exposed” them
  • Their upstream providers cut the peering with them

What I find especially disturbing is that there is no “fair process” part involved here, it is based all on the varying level of sensibility of the people who operate different ISPs. Now I’m not saying that these organizations shouldn’t be taken down, but some kind of process should be placed around it, otherwise we will create a lot of collateral damage. A silver lighting in this darkness is the ICANN procedure for negotiating with registrars: they have a process and, even though it is sometimes slower, it works, while still having the guarantees of a “fair process”. The main reason I bring this up is because the FireEye blog has been running a series with “Industry Bad Actors”:

Besides the fact that the posts have a xenophobic tendency (the enumerated organizations are from Ukraine, China, etc – none from the USA), they don’t give a clear and objective measure for classifying a network as “bad”. So they found a couple of IP’s in a network serving up malicious content. Is that enough to classify it as “bad”? I can show at least twice as many in US based networks (AT&T anyone?). These numbers are not proof for anything. In a recent study of malicious domain names I found that the correlation between the country and the probability of a domain hosted there being malicious is the same as the correlation between the country and their “connectedness” (to put it simpler: larger networks have more bad stuff in them). So please: lets move away from arbitrarily labeling networks as bad and lets try coming up with objective criterion and guidelines for fair process before we have more cases of innocent victims suffering because of hasty take-down procedures.


Leave a Reply

Your email address will not be published. Required fields are marked *