Handling of Abuse Complaints
Mark Andrews
marka at isc.org
Tue Aug 30 00:31:32 UTC 2016
In message <3dc3fd61-5123-0070-dd4e-435ce6785577 at satchell.net>, Stephen Satchell writes:
> On 08/29/2016 08:55 AM, Jason Lee wrote:
> > NANOG Community,
> >
> > I was curious how various players in this industry handle abuse complaints.
> > I'm drafting a policy for the service provider I'm working for about
> > handing of complaints registered against customer IP space. In this example
> > I have a customer who is running an open resolver and have received a few
> > complaints now regarding it being used as part of a DDoS attack.
> >
> > My initial response was to inform the customer and ask them to fix it. Now
> > that its still ongoing over a month later, I'd like to take action to
> > remediate the issue myself with ACLs but our customer facing team is
> > pushing back and without an idea of what the industry best practice is,
> > management isn't sure which way to go.
> >
> > I'm hoping to get an idea of how others handle these cases so I can develop
> > our formal policy on this and have management sign off and be able to take
> > quicker action in the future.
>
> It depends on the nature of the complaint. If it's an amplification
> attack of some kind, figure out how the perp is doing it, and block it
> as appropriate. For example, do you filter incoming packets with source
> address of subnet network and broadcast (shorter than /30) and allnet
> (255.255.255.255) broadcast, and filter packets outbound with
> destinations of allnet broadcast?
>
> DNS and NTP can be tricked into generating packet storms. In
> particular, you may want to block excessive large DNS requests inbound
> using deep packet inspection at your edge.
>
> Not all abuse problems are the fault of the customer. You have to do
> your part as well.
I presume everyone of you is planning to install DNS servers that
support RFC 7873 - DNS COOKIES? Yes, servers exist that support
this and some TLD's are already using such servers (0.47%), Alexa
.Gov and .AU servers (0.09%), Alexa Top 1000 (0.22%) and Alexa Bottom 1000
(.19%).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list