"Default" Points on your Internet "Re: Re: Re:"

Tue Jun 15 01:47:49 UTC 2004

----- Original Message ----- 
From: "Paul Vixie" <vixie at vix.com>

> as an ISP who knows how to network, the only thing i request of you is
that
> if your customer is spewing virus segments at me, you give me a way to
prove
> that to you (that costs me less time and aggravation than blackholing
you),
> and that once proven, you will revoke the account until you're sure that
> the infestation, and the process errors which led to it, are gone.  (same
> as if they were spamming, or controlling a ddos botnet, or etc.)

That's fine and we do deal with the problems in a reasonable amount of time,
but we also prioritize them. If there are 5 bots on my network sending you a
2Mb flood, we'll shut them down or block the flood immediately, but if it's
a single machine on a corporate network beind NAT and you are getting 4 port
probes because it's infected with sasser, then we'll enter it into the
support system and the customer will be contacted but the corp network will
not be shut down until that contact has been made.

Virus infections are a day to day occurance, not some critical emergency DOS
condition and they should be handled with concern but not panic. Customers
are the priority, not everyone else on the net. If you can't stand up to 4
port probes then you don't belong on todays internet.

Now if you are talking about customers who remain infected for weeks, we
won't allow that, once the contact has been made they've got to respond or
we will shut them down. But the logs I saw posted here didn't appear to me
to be the same customer, it just appeared to be a lot of probes over a long
time meaning that the particular subnet is a very busy place with lots of
worm bait. Virus infections on a subnet like that are to be expected. Trying
to keep that subnet clean is like running around spinning plates on sticks.

Geo.

-George R.- NetLink Services, Inc.