Policy:The "Human Shield" Problem
An acknowledged problem exists when a sanctioned entity (for the sake of this discussion, the Ministry of State Security of Flobbistan) uses an explicitly out-of-scope entity (the Flobbistan Red Crescent) as a "human shield." Specifically, they might route their traffic from sanctioned IP addresses to a network behind an edge NAT of the Flobbistan Red Crescent, effectively intermingling the traffic of the two organizations within the source IP addresses of the Flobbistan Red Crescent, and from the Autonomous System of the Flobbistan Red Crescent or its upstream transit provider. The Red Crescent's web server IP address is co-opted and replaced with a load balancer, which distinguishes between the Red Crescent's web site and the Ministry of State Security's web site based upon requested URL. While deep packet inspection or metadata analysis might allow netflow-level distinctions between the two organizations, neither IP address nor ASN filtering permit that.
Do we:
- Allow this state of affairs to persist, declaring a win that we've increased the level of friction that the Ministry of State Security encounters in their operations?
or
- Add the Red Crescent's IP addresses and/or ASN to the block list, declaring them to be a victim of the Ministry of State Security's actions, not ours?