Constant Abuse Reports / Borderline Spamming from RiskIQ
Brandon Martin
lists.nanog at monmotha.net
Thu Apr 16 06:13:27 UTC 2020
On 4/15/20 11:33 PM, Ross Tajvar wrote:
> Can you give some examples of the things you mention above? I'm not
> doing much in terms of customer filtering and would be interested to
> hear what others consider best practice.
My experience is that there's two groups of customers that are
problematic from an abuse standpoint:
* Those who intend to abuse your network
* Those who enable others to abuse your network
The former are of course a little easier to detect up front and much,
much easier to give the axe when they do commit AUP violations. It
looks like others have already given some hints as to how to detect
these kinds of folks up-front. I'd also recommend looking for
references for any new customer who wants a very large amount of
resources, explicitly wants to send email, is bringing their own IP
space (especially if they are leasing it), etc.
The latter are far more problematic for legitimate operations. I don't
really run "hosting" providers as I'm mostly in the business of mid- and
last-mile networks, but I always try to ask anyone who's either buying a
plan that explicitly permits "hosting" or who is asking for personal-use
exemptions to anti-hosting provisions in the AUP (which I do permit)
what their intent is. I don't really care so much what they're doing as
long as they know what they're doing and that I get a vibe from them
that they are competent. "I want to host my wordpress blog" is an
instant red flag since compromised wordpress instances are one of the
biggest sources of snowshoe hosting in my experience.
--
Brandon Martin
More information about the NANOG
mailing list