Nate Carlson wrote:

>On Tue, 20 Aug 2002, nate at refried.org wrote:
>  
>
>>The portion of the article I though would be "value add" was the
>>honeypot system that they set up to try to find RIAA snoopers.  It
>>looks for a correspondence between hits in their honeypot to attacks
>>on their network.
>>    
>>
>
>How I read it, the honeypot watches for _anyone_ searching for copyrighted
>music, and blackholes them from their network. So if an innocent user is
>searching for britney_spears-newest_hits.mp3, and tries to grab it,
>they'll be blacklisted. Sounded like something to keep RIAA from sueing
>them, to me..
>
Actually I think it watches who searches the site and then looks for 
attempts to 'attack' the site, and only then, does it put you on the 
blacklist.

Of course this is easy to work around - you simply have to do your 
searching from a different IP address/subnet from the one you use for 
the attack/dos/etc. to prevent the ISP from correlating the two events. 
The question is whether they can make their approach sufficiently 
sophisticated that your defense blocks out a large number of  legitimate 
users, i.e. you DoS yourself.

--rick