North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Abuse procedures... Reality Checks
> On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote: > > I understand your frustration and appreciate your efforts to contact the > > sources of abuse, but why indiscriminately block a larger range of IPs than > > what is necessary? > > 1. There's nothing "indiscriminate" about it. > > I often block /24's and larger because I'm holding the > *network* operators responsible for what comes out of > their operation. Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it? I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism. > If they can't hold the outbound abuse down to a minimum, then > I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. > I don't care why it happens -- they should have thought through > all this BEFORE plugging themselves in and planned accordingly. > ("Never build something you can't control.") Agreed. > > Neither I nor J. Oquendo nor anyone else are required to > spend our time, our money, and our resources figuring out which > parts of X's network can be trusted and which can't. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. > It is entirely X's responsibility to make sure that its _entire_ > network can be permitted the privilege of access to ours. > And (while I don't wish to speak for anyone else), > I think we're prepared to live with a certain amount of low-level, > transient, isolated noise. Noise like that is inevitable part of the job. > We are not prepared to live with persistent, systemic attacks > that are not dealt with even *after* complaints are > filed. (Which shouldn't be necessary anyway: if we can see inbound > hostile traffic to our networks, surely X can see it outbound from > theirs. Unless X is too stupid, cheap or lazy to look. Packets do > not just fall out of the sky, y'know?) Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. > 2. "necessary" is a relative term. > > Example: I observed spam/spam attempts from 3,599 hosts on > pldt's network during January alone. I've blocked > everything they have, because I find it *necessary* > to not wait for the other N hosts on their network > to pull the same stunt. I've found it *necessary* to take > many other similar measures as well because my time, > money and resources are limited quantities, so I must > expend them frugally while still protecting the operation > from overtly hostile networks. That's my point: you want to spend time dealing with the other 8 networks because you blacked them, out, too? > That requires pro-active measures and it requires ones > that have been proven to be effective. > > If X, for some value of X, is unhappy about this, then X should have > thought of that before permitting large amounts of abuse to escape > its operation over an extended period of time. Had X done its job > to a baseline level of professionalism, then this issue would not > have arisen, and we'd all be better off for it. Agreed, but economics usually dictate otherwise. > So. If you (generic you) can't keep your network from being > a persistent and systemic abuse source, then unplug it. Now. They want to run a business, too. So when you blacklist they will end up calling you asking for mercy, telling you that it's been cleaned up. Inevitably something/someone gets infected, you black them out, rinse, repeat. > If on other hand, you decide to stick around anyway while letting the > crap flow: no whining when other people find it necessary to > take steps to defend themselves from your incompetence. > > ---Rsk
|