Tier1 blackholing policy?

• Previous message (by thread): Tier1 blackholing policy?
• Next message (by thread): Tier1 blackholing policy?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Apr 30, 2013, at 2:50 PM, bmanning at vacation.karoshi.com wrote:

> 	Phone?  You mean like Jitsi or Skype?
> 	Fax?   
> 
> 	I'd like to see some numbers to back your assertion of "Typical" restoration
>        times of days.

my vendors deliver software fixes for "BGP" doesn't work in weeks, so I think that the following timeline and process I'm going to outline exceeds their BGP problems.

0 hour - Issue Reported
0-24 hours - triage; send to customer/internal customer to mitigate/remediate
25-48 hours - Customer responds, host taken down if hacked, etc..
48-96 hours+ - If no response, IP null0'ed per AUP as network security risk
48-96 hours is also where the customer freaks out and quickly fixes their problem to come in compliance with AUP.

This is a natural process.  Null0 or ACLs don't stay up for days or weeks on end.  That doesn't mean this catches 100% of all cases, but many ISPs get a daily report of phishing sites and malware hosted on their network each morning.  You can get one too!

http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

You can get a daily ATLAS report from Arbor as well: http://atlas.arbor.net/ (Although I can't get anyone to fix a problem with it, so anyone there can email me if you have the power to fix it).

There are other aggregators of data as well, such as SIE.  If you don't know the health of your network, take a look.  Many folks will email you these reports automatically, or provide you a direct feed (some in realtime, such as SIE).

- Jared

• Previous message (by thread): Tier1 blackholing policy?
• Next message (by thread): Tier1 blackholing policy?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]