[162714] in North American Network Operators' Group
Re: Tier1 blackholing policy?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Apr 30 17:22:38 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20130430185009.GA3750@vacation.karoshi.com.>
Date: Tue, 30 Apr 2013 17:20:04 -0400
To: bmanning@vacation.karoshi.com
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 30, 2013, at 2:50 PM, bmanning@vacation.karoshi.com wrote:
> Phone? You mean like Jitsi or Skype?
> Fax? =20
>=20
> I'd like to see some numbers to back your assertion of "Typical" =
restoration
> times of days.
my vendors deliver software fixes for "BGP" doesn't work in weeks, so I =
think that the following timeline and process I'm going to outline =
exceeds their BGP problems.
0 hour - Issue Reported
0-24 hours - triage; send to customer/internal customer to =
mitigate/remediate
25-48 hours - Customer responds, host taken down if hacked, etc..
48-96 hours+ - If no response, IP null0'ed per AUP as network security =
risk
48-96 hours is also where the customer freaks out and quickly fixes =
their problem to come in compliance with AUP.
This is a natural process. Null0 or ACLs don't stay up for days or =
weeks on end. That doesn't mean this catches 100% of all cases, but =
many ISPs get a daily report of phishing sites and malware hosted on =
their network each morning. You can get one too!
=
http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwor=
k
You can get a daily ATLAS report from Arbor as well: =
http://atlas.arbor.net/ (Although I can't get anyone to fix a problem =
with it, so anyone there can email me if you have the power to fix it).
There are other aggregators of data as well, such as SIE. If you don't =
know the health of your network, take a look. Many folks will email you =
these reports automatically, or provide you a direct feed (some in =
realtime, such as SIE).
- Jared=
