Abuse procedures... Reality Checks
Warren Kumari
warren at kumari.net
Wed Apr 11 19:44:01 UTC 2007
On Apr 11, 2007, at 2:53 PM, Scott Weeks wrote:
>
>
>
>
> : if someone cannot get out somewhere, they're obviously
> : going to get in touch with me as to why. Once this is
> : done, it is explained
>
> : I've always contacted someone
>
> : after about 3 attempts at getting someone to assess
> : their network
>
>
> I know from experience this doesn't scale into the hundreds of
> thousands of customers and can only imagine the big ass eyeball
> network's scalability issues...
>
> scott
>
Hear hear...
Scaling process and procedures is often as hard or harder than
scaling technical things...
Unfortunately, the lesson that scaling either is hard is only really
something that one can learn through experience -- I know that I for
one used to believe (as I would bet did most of us) that you could
scale just by buying a bigger X, where X could be a router, circuit,
etc. If that didn't work you could always just buy another X (or a
bunch more Xs) -- this strategy works up to a point, after which it
all goes pear-shaped. Until you have experienced this firsthand it
is hard to truly understand.
The same thing happens with things like abuse -- it is easy to deal
with abuse on a small scale. It is somewhat harder on a medium scale
and harder still on a large scale -- the progression from small to
medium to large is close to linear. At some point though the
difficulty suddenly hockey-sticks and becomes distinctly non-trivial
-- this doesn't mean that it is impossible, nor that you should give
up, but rather that a different approach is needed. Understanding
this is harder than understanding why you cannot grow your network
just by buying more X.
W
>
>
> --- sil at infiltrated.net wrote:
>
> From: "J. Oquendo" <sil at infiltrated.net>
> To: nanog at merit.edu
> Cc: Warren Kumari <warren at kumari.net>
> Subject: Re: Abuse procedures... Reality Checks
> Date: Wed, 11 Apr 2007 13:49:40 -0400
>
> Warren Kumari wrote:
>>
>> So, I have always wondered -- how do you customers really react when
>> they can no longer reach www.example.com, a site hosted a few IPs
>> away
>> from www.badevilphisher.net? And do you really think that you
>> blocking
>> them is going to make example.com contact their provider to get
>> things
>> fixed?
>>
> You confused two things.
>
> 1) I do my best to stop malicious traffic from leaving my network.
> With
> this said, if someone cannot get out somewhere, they're obviously
> going
> to get in touch with me as to why. Once this is done, it is explained
> to them that either their machine, or a machine on their network was
> doing something fuzzy therefore they were blocked. Most are actually
> thankful that it was pointed out to them as opposed to having to wait
> for Security Company X to update its virus/spamware definitions.
>
> 2) I do not block getting TO company X at first signs of garbage
> coming
> into my network from them. I've always contacted someone to some
> degree
> so don't misconstrue my actions as "I block the first packets I see."
> On the contrary I only block CIDR's after about 3 attempts at getting
> someone to assess their network. After that, I begin with services.
> This is my network so this is how it pans out... Spam? A CIDR to my
> email ports are blocked. SSH brute forcing, etc., those ports are
> blocked. Network who's blocked on ports continues, everything is then
> blocked.
>
>>
>> Have you considered that being a little politer and not insulting
>> everyone on the list might be a more constructive way of getting your
>> point across -- if I were to call you a "big, fat, doodoo head" you
>> would probably be less receptive than if I didn't...
>>
> What does being polite and "matter of factly" have to do with
> administrators cleaning up their networks? Should I beg an
> administrator of some network to be polite and not refer me to their
> generic abuse desk who'll do nothing about the issue?
>
> I actually am a little too polite in the fact that 1) I'm doing
> network operators a favor pointing them out to rogue hosts on
> THEIR networks not mines. If they want to continue hosting said
> rogue idiots, their problem. I won't be allowing it into my range.
> If you knew me personally, or have dealt with me, I can guarantee
> you within minutes of you contacting me for something I would be
> on it. I as an admin/engineer whatever you want to call me would
> want to make sure that nothing internal to me is affecting anyone
> else since it is likely to make things more difficult for me if
> left unchecked.
>
> So on issues of politeness, I am being polite contacting people.
> I'm being double polite posting evil doing networks on my personal
> site so others can be aware that "These networks are infected.
> Here are there hosts if you want to block them." I do this on my
> own spare time, my own expense, and my own filtering of the
> denials of service that ensue when some botnet reject sees me
> post a percentage of his botnet. So please don't my messages as
> anything other than "Hey... When is someone going to deal with
> this?" frustration targeted at those with the power to do actually
> something about it instead of waiting for someone else to take
> the first move.
>
> Analogy: You live in a house and sweep your property. Your
> neighbors don't. Would you stop sweeping your house? Would you
> keep your house dirty simply because the majority around you
> do? I'm sure if you convinced the most visible neighbor to
> make a change, the others would follow suit. Heck in some
> areas those neighbors who didn't comply would face fines
> after some point. Why not bring this chain of thought to a
> network you maintain/manage.
>
> As for documentation on this... There is PLENTY of it. Why should
> I write another document no one would follow. If some can't follow
> normal standards set by governmental bodies (for lack of better
> terms), what makes you think someone would say "Gee... That
> Oquendo sure wrote a nice document... Let me follow it" How
> about following standards and using good old fashioned common
> sense.
>
> --
> ====================================================
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
> sil . infiltrated @ net http://www.infiltrated.net
>
> The happiness of society is the end of government.
> John Adams
>
>
>
--
After you'd known Christine for any length of time, you found
yourself fighting a desire to look into her ear to see if you could
spot daylight coming the other way.
-- (Terry Pratchett, Maskerade)t
More information about the NANOG
mailing list