[191496] in North American Network Operators' Group
Re: PlayStationNetwork blocking of CGNAT public addresses
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sun Sep 18 11:17:38 2016
X-Original-To: nanog@nanog.org
From: Florian Weimer <fw@deneb.enyo.de>
To: Simon Lockhart <simon@slimey.org>
Date: Sun, 18 Sep 2016 17:17:33 +0200
In-Reply-To: <20160918140650.GR29651@dilbert.slimey.org> (Simon Lockhart's
message of "Sun, 18 Sep 2016 15:06:50 +0100")
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
* Simon Lockhart:
> On Sun Sep 18, 2016 at 03:58:57PM +0200, Florian Weimer wrote:
>> * Tom Beecher:
>> > Simon's getting screwed because he's not being given any information to try
>> > and solve the problem, and because his customers are likely blaming him
>> > because he's their ISP.
>>
>> We don't know that for sure. Another potential issue is that the ISP
>> just cannot afford to notify its compromised customers, even if they
>> were able to detect them.
>
> I'd like to think that we're pretty responsive to taking our users offline
> when they're compromised and we're made aware of it - either through our own
> tools, or through 3rd party notifications.
Okay, then perhaps my guess of the ISP involved is wrong.
> The process with Sony goes something like:
>
> - User reports they can't reach PSN
> - We report the Sony/PSN, they say "Yes, it's blocked because that IP attacked
> us"
> - We say "Okay, that's a CGNAT public IP, can you help us identify the which
> inside user that is - (timestamp,ip,port) logs, or some way to identify the
> bad traffic so we can look for it ourselves"
> - Sony say no, either through silence, or explicitly.
> - We have unhappy user(s), who blame us.
Yes, that's not very constructive.
Out of curiosity, how common is end-to-end reporting of
source/destination port information (in addition to source IP
addresses and destination IP addresses)? Have the anti-abuse
mechanisms finalyl caught on with CGNAT, or is it possible that the
PSN operator themselves do not have such detailed data?
