Repeated Blacklisting / IP reputation
brandon at bitradius.com
Tue Sep 15 21:12:55 UTC 2009
I believe there is another side to that argument as well.
If I operate a regional ISP and request address space for dynamic
address pools I am aware of a few things:
1) I am fully aware that there is a chance a customer's system could
become infected and generate millions of malicious messages/packets/
2) I am also aware that it is possible that that one machine could
have any number of IP addresses during the course of the week;
therefore, it would be possible that they could 'contaminate' an
3) I know that if I'm made aware of the zombified machine that I'll
disable access to the customer quickly; however, the damage has
usually already been done.
4) Do I actually care if one of my dynamic address blocks are in a
DNSBL? Not at all. They should be using my mail server anyways.
Should I have to go through and make sure that every single IP
address/block is 'clean' before returning the allocation to ARIN? I
can say with utmost confidence "I don't care" because I no longer
need them. If my ability to receive new allocations required that I
clean up a dynamic address block before receiving a new one I would
take better care of my blocks; however, it may be cheaper just to
keep the old block (null route it) and ask for another one.
The question becomes: Where do you draw the 'contamination' line? A
network may be using a block well within what we would consider
'reasonable' usage; however, the block may become 'unusable' for
certain purposes. Should they too be denied further address space? If
thats the case every broadband provider out there should be cut off
because they're customers keep getting infected and are used to DDOS/
SPAM/Exploit our networks.
What I'm trying to say in a long-winded and round about way is simple
--- The contamination doesn't always happen 'on purpose' or with any
foresight and it may not be an entire block that is bad. Everyone is
guilty at some point of having a few 'dirty' IPs on their network...
and I'm sure all of us have left many dirty because god only knows
where all it is blocked.
On Sep 15, 2009, at 4:23 PM, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 15 Sep 2009 08:01:48 PDT, Shawn Somers said:
>> Anyone that intentionally uses address space in a manner that they
>> know will cause it to become contaminated should be denied on any
>> further address space requests.
> You *do* realize that the people you're directing that paragraph at
> able to say with a totally straight face: "We're doing nothing
> wrong and
> we have *no* idea why we end up in so many local block lists"?
More information about the NANOG