REACTIVE AUTONOMOUS BLACKHOLE LIST SERVER v1.0
Copyright (c) 2005 Deep Logic, Inc.
http://www.nuclearelephant.com/projects/rabl/

LICENSE

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

TABLE OF CONTENTS

General Server Information

  1.0 About the RABL Server
  1.1 Installation
  1.2 Running the Server
  1.3 Zone Files

1.0 ABOUT THE RABL SERVER

The RABL (pronounced "rabble") server is a statistical, machine-automated and 
up-to-the-second blackhole list server designed to monitor global network 
activity and make decisions based on network spread and infection rate - 
that is, abuse from an address which has been reported by a number of 
participating networks. This is in far contrast to how most other 
blacklists function, where fallable humans (many with political agendas) must 
process thousands of reports and make decisions - many times after the fact. 
The RABL is fully reactive to new threats and can block addresses within 
seconds of widespread infection - good to know in this world of drone PCs 
and stolen accounts. The RABL server blacklists addresses until they have 
cleared a minimum duration (an hour by default) without any additional 
reporting, making the appeals process as simple as "fix your junk". The RABL 
is designed to function via automated machine-learning spam filters, such as 
Bayesian filters. Each participating network is granted write authentication 
in the blackhole list, to prevent abuse. A client tool is also provided.

Of course, the ideal use for the RABL is for spam and virii. Machine 
automation here is performed by any statistical filter capable of dynamically 
identifying spam and virus concepts (along with the source address). This 
information is fed into the RABL for processing. This doesn't mean, however, 
that the server should be limited to tracking only spam and viruses. It can 
easily be adapted to track any kind of network-based phenomenon over a large 
spread or even redesigned to track viruses. 

The RABL server is the server component of the blacklist. It is only 
necessary to use the server if you are running your own local RABL. If you are
looking to simply subscribe to the public RABL, then you need the RABL client
instead.

1.1 INSTALLATION

To install the RABL server, run:

./configure && make && make install

You will then want to copy the sample server configuration (rabl_server.conf) 
to a secure location on your system.  

1.2 RUNNING THE SERVER

To run the server, edit the server configuration to meet your needs.  While
read-only clients may connect arbitrarily, read-write clients will require
an account on the system.  You can create an account by using the USER
token as shown in the configuration.  Each account must have a unique user
id.

  AUTHENTICATION
  Authentication is performed using challenge-response and shared secrets.
  Both the client and server must share the same shared secret for that
  particular uid.  When the client attempts to authenticate, it will send its
  uid.  The server will then send back a random 16-byte string of characters.
  The client will then create a checksum based on this string and the shared
  secret and submit the checksum ot the server.  If the checksums match on
  both sides, the user is authenticated.

1.3 ZONE FILES

The server can write zone files of blacklisted addresses which your name
server can then use to serve DNS requests for. This requires the setting of 
two configuration parameters:

ZoneTemplate  /var/named/rabl.mydomain.com.template
ZoneOutput    /var/named/rabl.mydomain.com

The file rabl.mydomain.com.template is the input used and should contain a
basic SOA header. You may also want to add a record for 127.0.0.2, as this
is used by most blacklist users to test the blacklist. You may substitute
the serial number for @serial@, which will be replaced with a timestamp when
the zone file is written. The output, ZONE_OUTPUT, should point to the 
desired destination for the zone file. You'll need to HUP your name server
every now and then to ensure that the zone is being re-read. The zone file
is written every cleanup cycle.

BUGS AND FEEDBACK

The RABL is still in its infancy, and is likely to contain bugs.
Please feel free to report any bugs to jonathan@nuclearelephant.com. Be sure to
include a full synopsis of the problem, how to reproduce it, and what the
expected and actual results were.

You may also wish to subscribe to the rabl-users mailing list. You can do
this by emailing majordomo@lists.nuclearelephant.com with the words
'subscribe rabl-users' in the message body.

TODO

Implement Distributed Architecture

