Abuse procedures... Reality Checks

Frank Bulk frnkblk at iname.com
Sun Apr 8 01:20:14 UTC 2007


Robert:

You still haven't answered the question: how wide do you block?  You got an
IP address that you know is offensive.  Is your default policy to blacklist
just that one, do the /24, go to ARIN and find out the size of that block
and do the whole thing, or identify the AS and block traffic from the dozen
if not hundreds of allocations they have?  In only the first two cases is no
research required, but I would hope that the network who wants to blacklist
(i.e. GoDaddy) would do a little bit of (automated) legwork to focus their
abuse control.

You also have too dim and narrow a view of customer relationships.  In my
case the upstream ISP is a member-owned cooperative of which the
sub-allocated space is either a member or a customer of a member.  1, 2, and
3 don't apply, rather, the coop works with their members to identify the
source of the abuse and shut it down.  It's not adversarial as you paint it
to be.  BTW, do you think the member-owned coop should be monitoring the
outflow of dozens of member companies and hundreds of sub-allocations they
have?

And it's not *riddled* with abuse, it's just one abuser, probably a dial-up
customer who is unwittingly infected, who while connected for an hour or two
sends out junk.  GoDaddy takes that and blacklists the whole /24, affecting
both large and small businesses alike who are in other sub-allocated blocks
in that /24.  Ideally, of course, each sub-allocated customer would have
their own /24 so that when abuse protection policies kick in and that
automatically blacks out a /24 only they are affected, but for address
conservation reasons that did not occur.  

Frank

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Robert Bonomi
Sent: Saturday, April 07, 2007 8:41 PM
To: nanog at merit.edu
Subject: RE: Abuse procedures... Reality Checks

> From: "Frank Bulk" <frnkblk at iname.com>
> Subject: RE: Abuse procedures... Reality Checks
> Date: Sat, 7 Apr 2007 16:20:59 -0500
>
> > If they can't hold the outbound abuse down to a minimum, then 
> > I guess I'll have to make up for their negligence on my end.  
>
> Sure, block that /29, but why block the /24, /20, or even /8?  Perhaps
your
> (understandable) frustration is preventing you from agreeing with me on
this
> specific case.  Because what you usually see is an IP from a /20 or larger
> and the network operators aren't dealing with it.  In the example I gave
> it's really the smaller /29 that's the culprit, it sounds like you want to
> punish a larger group, perhaps as large as an AS, for the fault of smaller
> network.

BLUNT QUESTIONS:  *WHO*  pays me to figure out 'which parts' of a provider's
network are riddled with problems and 'which parts' are _not_?  *WHO* pays
me to do the research to find out where the end-user boundaries are? *WHY*
should _I_ have to do that work -- If the 'upstream provider' is incapable
of
keeping _their_own_house_ clean, why should I spend the time trying to
figure
out which of their customers are 'bad guys' and which are not?

A provider *IS* responsible for the 'customers it _keeps_'.

And, unfortunately, a customer is 'tarred by the brush' of the reputation
of it's provider.

> Smaller operators, like those that require just a /29, often don't have
that
> infrastructure.  Those costs, as I'm sure you aware, are passed on to
> companies like yourself that have to maintain their own network's
security.
> Again, block them, I say, just don't swallow others up in the process.

If the _UPSTREAM_ of that 'small operator' cannot 'police' its own
customers,
Why should _I_ absorb the costs that _they_ are unwilling to internalize?

If they want to sell 'cheap' service, but not 'doing what is necessary', I
see no reason to 'facilitate' their cut-rate operations.

Those who buy service from such a provider, 'based on cost',  *deserve* what
they get, when their service "doesn't work as well" as that provided by the
full-price competition.

_YOUR_ connectivity is only as good as the 'reputation' of whomever it is 
that you buy connectivity from.

You might want to consider _why_ the provider *keeps* that 'offensive' 
customer.  There would seem to be only a few possible explanations:  (1)
they
are 'asleep at the switch', (2) that customer pays enough that they can
'afford' to have multiple other customers who are 'dis-satisfied', or who
may even leave that provider, (3) they aren't willing to 'spend the money'
to run a clean operation.  (_None_ of those seems like a good reason for
_me_
to spend extra money 'on behalf of' _their_ clients.)





More information about the NANOG mailing list