Abuse procedures... Reality Checks

• Previous message (by thread): Abuse procedures... Reality Checks
• Next message (by thread): Abuse procedures... Reality Checks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joe:

I understand your frustration and appreciate your efforts to contact the
sources of abuse, but why indiscriminately block a larger range of IPs than
what is necessary?  

Here's the /24 in question:
	Combined Systems Technologies NET-CST (NET-207-177-31-0-1)
	207.177.31.0 - 207.177.31.7
	Elkader Public Library NET-ELKRLIB (NET-207-177-31-8-1)
	207.177.31.8 - 207.177.31.15
	Plastech Grinnell Plant NET-PLASTECH (NET-207-177-31-16-1)
	207.177.31.16 - 207.177.31.31 (dial-up, according to DNS)
	Griswold Telephone Co. NET-GRIS (NET-207-177-31-32-1)
	207.177.31.32 - 207.177.31.63
	Griswold Telephone Co. NET-GRIS2 (NET-207-177-31-64-1)
	207.177.31.64 - 207.177.31.95 (dial-up, according to DNS)
	Jesco Electrical Supplies NET-JESCOELEC (NET-207-177-31-96-1)
	207.177.31.96 - 207.177.31.103
	American Equity Investment NET-AMREQUITY (NET-207-177-31-104-1)
	207.177.31.104 - 207.177.31.111
	** open **
	Butler County REC NET-BUTLERREC (NET-207-177-31-120-1)
	207.177.31.120 - 207.177.31.127
	Northeast Missouri Rural Telephone Co. NET-NEMR2
(NET-207-177-31-128-1)
	207.177.31.128 - 207.177.31.191
	Montezuma Mutual Telephone NET-MONTEZUMA (NET-207-177-31-192-1)
	207.177.31.192 - 207.177.31.254 (dial-up, according to DNS) 

Block the /24 and you cause problems for potentially 8 other companies.  Now
the RBL maintainer, or in this case, GoDaddy, has to interact with 8 other
companies -- what a lot of work and overhead!  If they just dealt with the
problem in a more surgical manger they wouldn't have to deal with the other
companies asking for relief.  

Frank

-----Original Message-----
From: J. Oquendo [mailto:sil at infiltrated.net] 
Sent: Saturday, April 07, 2007 2:08 PM
To: nanog at merit.edu
Cc: Frank Bulk
Subject: Abuse procedures... Reality Checks

On Sat, 07 Apr 2007, Frank Bulk wrote:

> 
> While you have your friend's ear, ask him why they maintain a spam policy
of
> blocking complete /24's when:
> a) the space has been divided into multiple sub-blocks and assigned to
> different companies, all well-documented and queryable in ARIN
> b) there have been repeated pleas to whitelist a certain IP in separate
> sub-block that is only being punished for the behavior of others in a
> different sub-block.
> 
> Frank

<realitycheck>

You're complaining of blocked /24's. I block off up to /6's from reaching
certain ports on my networks. Sound crazy? How many times should I contact
the netblock owner and here the same generic "well you have to open up a
complaint with our abuse desk... golly gee Joseph." Only to have the same
repeat attacks over and over and over. Sure, I'll start out blocking the
offensive address, then shoot off an email here and there, even post to
this or another list or search Jared's list for a contact and ask them
politely "Hey... I see X amount of attackers hitting me from your net"
But how long should I go on for before I could just say "to hell with
your users and network... They just won't connect." It's my own right to
when it comes to my network.

People complain? Sure, then I explain why, point out the fact that I
HAVE made attempts at resolutions to no avail. So should the entire
network be punished... No, but the engineers who now have to answer
THEIR clients on why they've been blacklisted surely are punished aren't
they. Now they have to hear X amount of clients moan about not being
able to send either a client, vendor or relative email. They have to
either find an alternative method to connect, or complain to their
provider about connectivity issues.

Is it fair? Yes it's fair to me, my clients, networks, etc., that
I protect it. Is it fair to complain to deaf ears when those deaf
ears are the ones actually clueful enough to fix? On a daily basis
I have clients who should be calling customer service for issues
contact me directly. Know what I do? ... My best to fix it, enter
a ticket number on the issue and go about the day. One way or the
other I'm going to see the ticket/problem so will it kill me to
take a moment or two to fix something? Sure I will bitch moan and
yell about it, a minute later AFTER THE FIX since things of this
nature usually don't take that much time, guess what? Life returns
to normal.

http://www.infiltrated.net/bforcers/5thWeek-Organizations

Have a look will you? These are constant offending networks with
hosts that are repeatedly ssh'ing into servers I maintain. Is it
unfair to block off their entire netblock from connecting via
ssh to my servers. Hell no it isn't. If I have clients on this
netblock, in all honesty tough. Let them contact their providers
after I tell them their provider has been blocked because of the
garbage on their network. Let their provider do something before
I do because heaven knows how many times have I tried reaching
someone diplomatically before I went ahead and blocked their
entire /6 /7 /8 /9 /10 and so on from connecting to me via ssh
or whatever other service they've intruded or attempted to
intrude upon.

Blocks? They usually last for 2 weeks then I take them off and
start ALL over again. Of course I've automated this so its no
sweat off shoulders. So you tell me in all honesty why someone
should not escalate and block off entire blocks.

</realitycheck>

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey 

• Previous message (by thread): Abuse procedures... Reality Checks
• Next message (by thread): Abuse procedures... Reality Checks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]