SORBS?!

Jimmy Hess mysidia at gmail.com
Fri Apr 6 20:48:44 CDT 2012


On Fri, Apr 6, 2012 at 8:13 PM, Jeroen van Aart <jeroen at mompl.net> wrote:
> Brielle Bruns wrote:
> to come from such a block is more often than not a necessity. It's very
> unlikely to see 1 abuser in between an otherwise perfectly behaving network
> neighbourhood.

That's kind of vague to say it's "unlikely to see 1 abuser".   What is
the probability that
more IPs in the same /24  are likely to harbor abusers,  given that you have
received abuse from one IP?

And how have you discovered this?
( What is the criteria used to determine that it is unlikely, and what
is your source of the information?)

Are you assuming that if you've seen the abuse,  that you probably
weren't the first victim,
that the ISP has probably already been notified by someone else,
that they have likely had a
reasonable amount of time to put a stop to the abuse,  and that they
failed to do so?


There is the one good case where a single abuser has a dynamic IP address;
but it's not a safe assumption that they will live in the same /24
next time the abuser dials in.

So not only does listing an entire /24    list innocent users'  IP addresses,
it also does not necessarily effectively list the one abuser.

--
-JH



More information about the NANOG mailing list