Abuse Desks

Wed Apr 29 18:32:43 UTC 2020

On 2020-04-29 17:51, Mukund Sivaraman wrote:
> On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
>> What if I am at home, and while working on a project, fire off a wide
>> ranging nmap against say a /19 work network to validate something
>> externally? Should my ISP detect that and make a decision that I shouldn't
>> be doing that, even though it is completely legitimate and authorized
>> activity? What if I fat fingered a digit and accidentally ran that same
>> scan against someone else's /19? Should that accidental destination of
>> non-malicious scans be able to file an abuse report against me and get my
>> service disconnected because they didn't like it?
>>
>> Abuse departments should be properly handling LEGITIMATE abuse complaints.
>> Not crufty background noise traffic that is never going away.
> Sure. Handling legitimate abuse complaints would be quite sufficient. :)
>
> 		Mukund

Since this is a distributed network and there's not a central authority 
to rule on each incident being legitimate, the only way to stay out of 
the politics is to ignore people's abuse complaints. Someone's SSH 
server is being spammed with probes?  That's pretty low bandwidth, not 
much threat to the network from a cracking script.  Maybe you don't like 
it, maybe it's criminal or whatever else, but ostensibly it's some 
paying customer's traffic and it should be delivered unmolested.  When 
someone's infrastructure is getting packeted or having their routers 
crashed repeatedly, they respond to that, usually without having to be 
emailed, because it's actual abuse of their network.  A lot of this 
other stuff is just people abusing the abuse contacts to get someone 
else taken offline.  Phishing websites fall into this category - it's 
not network abuse, it's just content someone doesn't like, and one way 
to get it taken down is to threaten the network that carries the traffic 
for it.

-Laszlo