North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Abuse procedures... Reality Checks

  • From: Rich Kulawiec
  • Date: Tue Apr 10 08:32:26 2007

On Sat, Apr 07, 2007 at 04:20:59PM -0500, Frank Bulk wrote:
> Define network operator: the AS holder for that space or the operator of
> that smaller-than-slash-24 sub-block?  If the problem consistently comes
> from /29 why not just leave the block in and be done with it?  

Because experience...long, bitter experience...strongly indicates that
what happens today often merely presages what will happen tomorrow.

Because I haven't got unlimited time.  Or money.  Or resources.

Because I haven't got unlimited WHOIS queries.  (Although I and everyone
else *should* have those.  There are no valid reasons to rate-limit any
form of WHOIS query.)

Because there are way, WAY too many incompetently-managed networks whose
operators can often be heard complaining about the abuse inbound to them
at the same time they fail to take rudimentary measures to control the
abuse outbound from them.  <cough> port 25 blocking <cough>

Because I was more patient for the first decade or two, and it proved
to be a losing strategy.

Because This Is Not My Problem.  If by chance someone benign has chosen
to locate their operation in known-hostile, known-negligently-operated
network space, then their failure to perform due diligence may have
consequences for them.

> I guess this begs the question: Is it best to block with a /32, /24, or some
> other range?  Sounds a lot like throwing something against the wall and
> seeing what sticks.  Or vigilantism.

1. Gratuitously labeling carefully-considered measures as random is not a
route to productive conversation.

2. It is hardly "vigilantism" to take passive measures to protect one's
network/systems/users from hostile activity.  Doubly so when those measures
consist merely of a refusal to grant a *privilege* after it's been repeatedly,
systemically abused.

---Rsk