Abuse procedures... Reality Checks

• Previous message (by thread): Abuse procedures... Reality Checks
• Next message (by thread): Abuse procedures... Reality Checks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
> > I understand your frustration and appreciate your efforts to contact the
> > sources of abuse, but why indiscriminately block a larger range of IPs
than
> > what is necessary?  
> 
> 1. There's nothing "indiscriminate" about it.
> 
> I often block /24's and larger because I'm holding the 
> *network* operators responsible for what comes out of 
> their operation.  

Define network operator: the AS holder for that space or the operator of
that smaller-than-slash-24 sub-block?  If the problem consistently comes
from /29 why not just leave the block in and be done with it?  

I guess this begs the question: Is it best to block with a /32, /24, or some
other range?  Sounds a lot like throwing something against the wall and
seeing what sticks.  Or vigilantism.

> If they can't hold the outbound abuse down to a minimum, then 
> I guess I'll have to make up for their negligence on my end.  

Sure, block that /29, but why block the /24, /20, or even /8?  Perhaps your
(understandable) frustration is preventing you from agreeing with me on this
specific case.  Because what you usually see is an IP from a /20 or larger
and the network operators aren't dealing with it.  In the example I gave
it's really the smaller /29 that's the culprit, it sounds like you want to
punish a larger group, perhaps as large as an AS, for the fault of smaller
network.

> I don't care why it happens -- they should have thought through 
> all this BEFORE plugging themselves in and planned accordingly.  
> ("Never build something you can't control.")

Agreed.

> 
> Neither I nor J. Oquendo nor anyone else are required to 
> spend our time, our money, and our resources figuring out which 
> parts of X's network can be trusted and which can't.  

It's not that hard, the ARIN records are easy to look up.  Figuring out that
network operator has a /8 that you want to block based on 3 or 4 IPs in
their range requires just as much work.

> It is entirely X's responsibility to make sure that its _entire_ 
> network can be permitted the privilege of access to ours.  
> And (while I don't wish to speak for anyone else),
> I think we're prepared to live with a certain amount of low-level,
> transient, isolated noise.  

Noise like that is inevitable part of the job.

> We are not prepared to live with persistent, systemic attacks 
> that are not dealt with even *after* complaints are
> filed.  (Which shouldn't be necessary anyway: if we can see inbound
> hostile traffic to our networks, surely X can see it outbound from
> theirs.  Unless X is too stupid, cheap or lazy to look.  Packets do
> not just fall out of the sky, y'know?)

Smaller operators, like those that require just a /29, often don't have that
infrastructure.  Those costs, as I'm sure you aware, are passed on to
companies like yourself that have to maintain their own network's security.
Again, block them, I say, just don't swallow others up in the process.

> 2. "necessary" is a relative term.
> 
> Example: I observed spam/spam attempts from 3,599 hosts on 
> pldt's network  during January alone. I've blocked 
> everything they have, because I find it *necessary* 
> to not wait for the other N hosts on their network 
> to pull the same stunt.  I've found it *necessary* to take
> many other similar measures as well because my time, 
> money and resources are limited quantities, so I must 
> expend them frugally while still protecting the operation 
> from overtly hostile networks.  

That's my point: you want to spend time dealing with the other 8 networks
because you blacked them, out, too?  

> That requires pro-active measures and it requires ones 
> that have been proven to be effective.
> 
> If X, for some value of X, is unhappy about this, then X should have
> thought of that before permitting large amounts of abuse to escape
> its operation over an extended period of time.  Had X done its job
> to a baseline level of professionalism, then this issue would not
> have arisen, and we'd all be better off for it.

Agreed, but economics usually dictate otherwise.
 
> So.  If you (generic you) can't keep your network from being 
> a persistent and systemic abuse source, then unplug it.  Now.

They want to run a business, too.  So when you blacklist they will end up
calling you asking for mercy, telling you that it's been cleaned up.
Inevitably something/someone gets infected, you black them out, rinse,
repeat.

> If on other hand, you decide to stick around anyway while letting the
> crap flow: no whining when other people find it necessary to 
> take steps to defend themselves from your incompetence.
> 
> ---Rsk

• Previous message (by thread): Abuse procedures... Reality Checks
• Next message (by thread): Abuse procedures... Reality Checks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]