[117809] in North American Network Operators' Group
Re: Dutch ISPs to collaborate and take responsibility for botted
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Oct 4 07:35:54 2009
From: Owen DeLong <owen@delong.com>
To: Peter Beckman <beckman@angryox.com>
In-Reply-To: <alpine.BSF.2.00.0910031759460.4388@nog.angryox.com>
Date: Sun, 4 Oct 2009 04:33:43 -0700
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail-33--676566565
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
On Oct 3, 2009, at 3:18 PM, Peter Beckman wrote:
> On Sat, 3 Oct 2009, Gadi Evron wrote:
>
>> The story is covered by PC mag:
>
> Thanks for the article Gadi. Honestly, I wish both my personal ISP
> and
> one of my business ISPs would do this. Though I have the technical
> ability to monitor my outgoing connections for such things, it's not a
> trivial task and requires resources I've decided not to invest in,
> namely
> a Linux PC running as my gateway with yet more software (OS,
> monitoring
> tools, etc) I need to secure and keep updated.
>
> For me to be thrilled about my ISPs monitoring my connection for "bad
> behavior," the ISP should:
>
> * Quickly notify the customer about the problem via email and phone
Agreed
> * Offer the ability to view the evidence of the "bad behavior,"
> accessible on the ISP network via the web so it can be viewed
> whether
> the connection is active or blocked, to help determine which
> host(s)
> is/are responsible
Agreed
> * Clearly classify the type of "bad behavior" and offer both free
> and
> paid alternatives to potentially rectify the problem for those
> less
> technically inclined to self-solve the issue
Definitely.
> * Provide a short period of time (3 days) after notification and
> before
> disconnect to give an opportunity to fix the issue without
> service
> interruption
Uh... Here I differ. The rest of the internet should put up with the
abuse
flowing out of your network for 3 days to avoid disruption to you? Why?
Sorry, if you have a customer who is sourcing malicious activity,
whether
intentional or by accident, I believe the ISP should take whatever
action
is necessary to stop the outflow of that malicious behavior as quickly
as possible while simultaneously making all reasonable effort to contact
the customer in question.
The ISP should take the minimum action necessary to stop the outflow,
so,
if the traffic is sourced from a single host, that host could be
filtered/blocked.
If the traffic can be classified more tightly (i.e. certain ports,
etc., then that
classification should be used). This minimizes disruption to the
customer,
but, still preserves the ISPs obligation to the rest of the internet.
When you
connect to a community resource like the internet, you have an inherent
obligation not to source malicious activity. When you provide services
to downstream customers, you are not relieved of that responsibility
just because you accepted the malicious activity from them rather than
originating it yourself.
> * Offer a simple, automated way to get the connection re-tested and
> unblocked immediately (within 15 minutes) using a web service
> accessible even if the connection is blocked
>
Either a web interface or even a telephonic process. It doesn't
necessarily
need to be automated, but, it shouldn't be a 3 day wait for a technician
to get back to you. It should definitely be a pretty rapid process once
the abuse is resolved.
> This would make me happy.
>
> What would make me angry is if they:
>
> * Simply turn the connection off with little or no notice
They should not turn the connection off unless it is absolutely
necessary.
See above.
> * Provide no notification of what happened or why
Absolutely agree here.
> * Offer no evidence of why they turned the connection off to help
> debug
Yep.
> * Force the customer to call customer service to ask for a retest
> or
> reconnect
I don't really see a problem with this, so long as customer service is
responsive to such a call.
> * Have the reconnect take multiple hours/days once approved
Agreed: the reconnect process should be very quick once the abuse is
resolved.
Owen
--Apple-Mail-33--676566565
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIERDCCBEAw
ggOpoAMCAQICARQwDQYJKoZIhvcNAQEFBQAwgaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTER
MA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoTEURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxE
ZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJ
KoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tMB4XDTA2MTIxNjE2MzcxN1oXDTE2MTIxMzE2MzcxN1ow
fTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzEP
MA0GA1UECxMGUGVyc29uMRQwEgYDVQQDEwtPd2VuIERlTG9uZzEeMBwGCSqGSIb3DQEJARYPb3dl
bkBkZWxvbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7H7JBEUaAy56E6qY
0JoHKfI+6QT7hYjnc1JezeZOA5XxK7QERkx8rdcND47xeNXjw06ZMjfhrcGkxM+1PEatBxC1Aax1
V95fKtw0DkNMKRgH138E6mZhwuWsvcA1bhxJQQc++SumEX5Uyr5dX4jYy2WgmaLKc8TD/N5G+/zb
Rc1sLrznovNvv7daKfDFlufRkPnLpeG0gx/HIFa4csMNYH2rdLt2xUBAt4TSy3fjEbp0HFVRJI4G
QRHbMmb6tBMnT9vpUZrwMHydqHHTiGr2A8PgdQeQLNEknKynVFTjJIXhBUSINhCl2HtQA+TKv+gu
EF9HrIybZSDlhGym0JUgKwIDAQABo4IBIDCCARwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUzaaV8BC8
UhxaWk6IQTpqK9mLnSgwgdMGA1UdIwSByzCByIAU15gTZIxt8E1K2l0KkjrRFpdc5eyhgaykgakw
gaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoT
EURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxEZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJKoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tggEA
MBoGA1UdEQQTMBGBD293ZW5AZGVsb25nLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCWRsD48eQfaNKH
K2lohMTD9voszp/GuoWTyi6RckNxW0b0V0gv7ZGH1BUmgq2Jt7SjIis7vTY3FCZUDcR9e7fpBXJL
/euk2pPEBSHbCWAYO+uFeZ17UHz0WtInBB7Yo2EHUrkf4jeJDL7rHOG5YOVQzoV1+vdFkmQvPCPX
zPyYyzGCA7cwggOzAgEBMIGsMIGmMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcT
CFNhbiBKb3NlMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzElMCMGA1UECxMcRGVMb25nIENl
cnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEAxMNY2EuZGVsb25nLmNvbTEcMBoGCSqGSIb3DQEJ
ARYNY2FAZGVsb25nLmNvbQIBFDAJBgUrDgMCGgUAoIIB3zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wOTEwMDQxMTMzNDRaMCMGCSqGSIb3DQEJBDEWBBQ0W4+UtGs/
wueWqk5XYCnEsTvkmTCBvQYJKwYBBAGCNxAEMYGvMIGsMIGmMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzElMCMG
A1UECxMcRGVMb25nIENlcnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEAxMNY2EuZGVsb25nLmNv
bTEcMBoGCSqGSIb3DQEJARYNY2FAZGVsb25nLmNvbQIBFDCBvwYLKoZIhvcNAQkQAgsxga+ggaww
gaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoT
EURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxEZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJKoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tAgEU
MA0GCSqGSIb3DQEBAQUABIIBAApsxSLCWINUgq6KIGp41PBX/+w0yNahgfoZLtlYFRrjwnlvoRa0
2rj60OVHmRMMH1sbnR32rKXGyzcvjUVYOKZLYoqCvtl4l+WQsM/PFnE4r5QTHrvse1Bo5757zqfX
P/VeHyHkXFGaYXvzzzOKeNXdmRxLoFhvBMOyHpK81PDTbqEYcYpJUEjaB3pRryjC08kUM3gDvwe5
rB0wsam2ZPjuAzRQ/sWuF+YjeqUvYSQfYM/qr5cuKqIgQIwlwQJkfB85xI3CZ5kqEBqCceY/GClG
brj8w7sT7sgzAfEw4PrLG4jQAkpoGpI7T5SOkP6aatz2p/S496ny1SsjcAha6nEAAAAAAAA=
--Apple-Mail-33--676566565--
