Cloudflare, dirty networks and politricks

Hugo Slabbert hugo at slabnet.com
Fri Jul 29 15:38:38 UTC 2016


On Fri 2016-Jul-29 07:50:09 -0500, J. Oquendo <joquendo at e-fensive.net> wrote:

>On Fri, 29 Jul 2016, Rich Kulawiec wrote:
>
>> On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
>> > If we want to be accurate about it, Cloudflare doesn???t host the DDoS,
>> > they protect the website of seller of the product. We shouldn???t be
>> > de-peering Cloud Flare over sites they protect any more than we would
>> > de-peer GoDaddy over sites they host, some of which, no doubt, sell
>> > gray/black market/illegal items/services.
>>
>> The only way to make action against them effective is to do it broadly,
>> do it swiftly, and do it permanently.
>>
>
>In my ramblings on "Why network operators love filth", I
>associate a landlord that knowingly allows his/her tenant
>to sell drugs. In America, your house is gone. This should
>be the case on the Internet as well. Keep sending out crap
>and ARIN should yank your IP space after everyone else
>has de-peered you.
>
>So let's get to these horrible analogies of "weapons" and
>whether or not CloudFlare is solely the gun manufacturer
>and is not responsible whether or not their ARCLOUD rifle
>was used to shoot up a school killing children.
>
>Analogy: Hotel Cloud is a pretty big hotel in the city.
>They have 5,000 rooms. When you walk by, their tenants
>are throwing rocks out of the windows, garbage, etc.
>People complain to the hotel management that does nothing
>about it. Hotel Cloud's response is: 'Well this is really
>not our problem, we only rent a room, what the occupant
>does...' --- And this makes sense to how many of you who'd
>respond: "Well I don't know about you but I want to walk
>around freely" Freely? At some point in time, you WILL
>walk by this hotel, or another that WILL become just like
>it. Why? Because there will be no one to say: "Hey this
>is wrong buck stops here..."
>
>I have seen these discussions on this list for so many
>years, and there are those that want to do good, but won't
>lift a finger out of fear of the herd/praetorian guard.
>Anyone saying it cannot be done, is a coward bowing to
>the dollar (euro/yen/whatever). The analogy above is spot
>on...

This may seem pedantic, but no it's not, at least not in the Cloudflare 
situation.  In the Hotel Cloudflare example, the miscreants don't hurl the 
rocks and filth out of the hotels' windows.  They set up a storefront/shop 
in the hotel to sell rock- and filth-slinging for hire, with the actual 
rock- and filth-flinging being done elsewhere.

That said:

I don't believe the hotel can turn a blind eye to rock- and filth-slinging 
being peddled from their premises without consequence.  If we caught 
someone running a booter web storefront on our net, they'd be gone.  And 
the premises from which rock- and filth-slinging occurs (networks that 
originate garbage traffic, especially those that permit source address 
spoofing) also need to be held accountable.

Again: not disagreeing that we need to hold people accountable; just 
clarifying the analogy for this case.

I've cut off service for customer gear that was spewing garbage where they 
failed to do anything about it.  We generally give an initial grace period 
and assist the customer however we can in getting their stuff cleaned up 
(or try to drop just the abusive traffic to start and leave the rest of 
their feed).  But if you keep getting repeatedly compromised, fail to 
protect your stuff or clean it up, and keep spewing ever more varied 
garbage, you've proven yourself incapable of running an Internet-facing 
service and I'll quit trying to play whack-a-mole and just drop you.

And yes:
BCP38: we haz it.

We're not at the scale of the big boys, but we try to do our part to run a 
clean shop.

>...with the only difference being a hotel is physical,
>and on the Interwebs, out of sight out of mind. 

>This is until one of your relatives' sites gets taken offline by
>some bored moron via DDoS, and there go their sales, there
>goes their business. THEN and only THEN will some of the
>naysayers say: "Shit we could have stopped it."
>
>Do you need law enforcement to be moral? "I can see
>that person is getting pulverized by some drunken idiot
>better not intervene because well... I want to walk
>freely..." That beating can come full circle, where
>beating can be DDoS, a sophisticated attack, malware.
>
>I am so tempted to start a shaming site for networks
>including all of the big boys with detailed records
>showing how abuse was contacted, no one did nothing,
>and oh by the way... "Are you sure you want to host
>or transit with this company? Last I checked via
>logs, they were a filthy network that catered to
>peds, RBN folk, etc" Maybe when some of you guys
>(that sit around twiddling fingers) see your companies
>all over the place, maybe then you'll think about doing
>the right thing.
>
>
>-- 
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>J. Oquendo
>SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
>"Where ignorance is our master, there is no possibility of
>real peace" - Dalai Lama
>
>0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
>https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463

-- 
Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E   | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160729/fb54e47b/attachment.sig>


More information about the NANOG mailing list