Abuse procedures... Reality Checks

Rich Kulawiec rsk at gsp.org
Sat Apr 7 20:32:58 UTC 2007


On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
> I understand your frustration and appreciate your efforts to contact the
> sources of abuse, but why indiscriminately block a larger range of IPs than
> what is necessary?  

1. There's nothing "indiscriminate" about it.

I often block /24's and larger because I'm holding the *network* operators
responsible for what comes out of their operation.  If they can't hold
the outbound abuse down to a minimum, then I guess I'll have to make
up for their negligence on my end.  I don't care why it happens -- they
should have thought through all this BEFORE plugging themselves in
and planned accordingly.  ("Never build something you can't control.")

Neither I nor J. Oquendo nor anyone else are required to spend our time,
our money, and our resources figuring out which parts of X's network
can be trusted and which can't.  It is entirely X's responsibility to
make sure that its _entire_ network can be permitted the privilege of
access to ours.  And (while I don't wish to speak for anyone else),
I think we're prepared to live with a certain amount of low-level,
transient, isolated noise.  We are not prepared to live with persistent,
systemic attacks that are not dealt with even *after* complaints are
filed.  (Which shouldn't be necessary anyway: if we can see inbound
hostile traffic to our networks, surely X can see it outbound from
theirs.  Unless X is too stupid, cheap or lazy to look.  Packets do
not just fall out of the sky, y'know?)

2. "necessary" is a relative term.

Example: I observed spam/spam attempts from 3,599 hosts on pldt's network
during January alone. I've blocked everything they have, because I find it
*necessary* to not wait for the other N hosts on their network to pull the
same stunt.  I've found it *necessary* to take many other similar measures
as well because my time, money and resources are limited quantities,
so I must expend them frugally while still protecting the operation from
overty hostile networks.  That requires pro-active measures and it
requires ones that have been proven to be effective.

If X, for some value of X, is unhappy about this, then X should have
thought of that before permitting large amounts of abuse to escape
its operation over an extended period of time.  Had X done its job
to a baseline level of professionalism, then this issue would not
have arisen, and we'd all be better off for it.


So.  If you (generic you) can't keep your network from being a persistent
and systemic abuse source, then unplug it.  Now.

If on other hand, you decide to stick around anyway while letting the
crap flow: no whining when other people find it necessary to take steps
to defend themselves from your incompetence.

---Rsk



More information about the NANOG mailing list