[191210] in North American Network Operators' Group
Re: Handling of Abuse Complaints
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Mon Aug 29 12:05:17 2016
X-Original-To: nanog@nanog.org
Date: Mon, 29 Aug 2016 09:05:13 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: Jason Lee <jason.m.lee@gmail.com>
In-Reply-To: <CABD5cReam84fjnxeenr05BMj=N9GfsUUCLi98jZpjY0gEL1PwQ@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--8/pVXlBMPtxfSuJG
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon 2016-Aug-29 10:55:27 -0500, Jason Lee <jason.m.lee@gmail.com> wrote:
>NANOG Community,
>
>I was curious how various players in this industry handle abuse complaints.
>I'm drafting a policy for the service provider I'm working for about
>handing of complaints registered against customer IP space. In this example
>I have a customer who is running an open resolver and have received a few
>complaints now regarding it being used as part of a DDoS attack.
>
>My initial response was to inform the customer and ask them to fix it. Now
>that its still ongoing over a month later, I'd like to take action to
>remediate the issue myself with ACLs but our customer facing team is
>pushing back and without an idea of what the industry best practice is,
>management isn't sure which way to go.
>
>I'm hoping to get an idea of how others handle these cases so I can develop
>our formal policy on this and have management sign off and be able to take
>quicker action in the future.
If you've informed them of the issue, given them time to resolve, and=20
they've failed to take action, at some point you need to escalate and=20
cauterize the wound to prevent abuse traffic spewing forth from the=20
cusotmer's (and subsequently your) network.
How you implement that specifically is your call, but I would at least=20
start giving specific timelines to the customer and outline the steps that=
=20
will be taken if they fail to remediate by those times in order to give=20
them fair warning.
I've been fairly specific previously about crafting filters to drop just=20
the offending traffic, which should be doable here given the vector, but in=
=20
other cases where it was obvious the offending hosts were simply=20
compromised to hell and spewing myriad garbage traffic, I have cut users=20
off completely to chop C&C access etc.
This was during time at a regional commercial ISP on business circuits.
--=20
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal
>
>Thanks,
>
>Jason
--8/pVXlBMPtxfSuJG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJXxF05AAoJEFsnhBAb2KmAaYcQAKs/c99P1hod9yjlG/hB68Pz
siCYVha6K0eiutFdAN0w2FIg6ht7rtRgHB1AUOURt86ynZYDMpqricvs3ebXFqC+
FtU4ujZ3wYrwviP3BoZ5P8S0ycR1E8HxsuvFI9cspRqNZPvAKgunZcabJ7JihOlo
CnpJfeGn8dBB6FqL37t2MN95P3KqBlyesrq+UolQWHQKDgO24W8o7oI+BKlcZ2bP
NaxxnyFldFSIINcvmkHF4elF9Ay6cTQk9H45MjVn69vihBCykkAP26QkM0zefwde
V2TgFDkYj8H9t0tCU/ykthLG2atI7ZM8ByDAJLn924P0BoFXiaWAzDcopgg+t7hC
gVF7tODXgZbyjLXsY4Opum2SoR8cgV+JvweX71MSXFgeEg/r/Ig896P6kexQ1dIt
gpyh6/RNiK6ngJaPZhCQj7YO40BHiGtUeBwCGXV0pO3tEhpVyw47kG5ngUHHYqzu
5V2oo8DH41m60S2XzVxqfe65czcizn4kUrJo+wC/BLwJouUk+mON4wWjIkuD7kxr
GOd64oLfBjusm0Mub99wZ1RaZmLoZXS0oMklZc8JjaRFIMt0xyCbJm84/ZsSq5Do
D1SBIGYCiuagmCloxZnCaZGfpgs1Ti+z//dFcsyjlLx3eXZ+CTiyCNHaBTES7Y/4
krH9d3atmJMTJ1eOw5Mp
=tZaB
-----END PGP SIGNATURE-----
--8/pVXlBMPtxfSuJG--
