Handling of Abuse Complaints
list at satchell.net
Mon Aug 29 19:00:49 UTC 2016
On 08/29/2016 08:55 AM, Jason Lee wrote:
> NANOG Community,
> I was curious how various players in this industry handle abuse complaints.
> I'm drafting a policy for the service provider I'm working for about
> handing of complaints registered against customer IP space. In this example
> I have a customer who is running an open resolver and have received a few
> complaints now regarding it being used as part of a DDoS attack.
> My initial response was to inform the customer and ask them to fix it. Now
> that its still ongoing over a month later, I'd like to take action to
> remediate the issue myself with ACLs but our customer facing team is
> pushing back and without an idea of what the industry best practice is,
> management isn't sure which way to go.
> I'm hoping to get an idea of how others handle these cases so I can develop
> our formal policy on this and have management sign off and be able to take
> quicker action in the future.
It depends on the nature of the complaint. If it's an amplification
attack of some kind, figure out how the perp is doing it, and block it
as appropriate. For example, do you filter incoming packets with source
address of subnet network and broadcast (shorter than /30) and allnet
(255.255.255.255) broadcast, and filter packets outbound with
destinations of allnet broadcast?
DNS and NTP can be tricked into generating packet storms. In
particular, you may want to block excessive large DNS requests inbound
using deep packet inspection at your edge.
Not all abuse problems are the fault of the customer. You have to do
your part as well.
More information about the NANOG