[68443] in North American Network Operators' Group
Re: Counter DoS
daemon@ATHENA.MIT.EDU (Brian Bruns)
Thu Mar 11 17:28:40 2004
From: "Brian Bruns" <bruns@2mbit.com>
To: <nanog@merit.edu>
Date: Thu, 11 Mar 2004 17:27:55 -0500
X-SA-Exim-Mail-From: bruns@2mbit.com
Errors-To: owner-nanog-outgoing@merit.edu
On Thursday, March 11, 2004 6:16 PM [EST], william(at)elan.net
<william@elan.net> wrote:
>>
>> Which RBL operators flood /24's or /16's? What do they flood them
>> with?
>
> I think he meant that RBLs sometimes include entire /24 in RBL list when
> only one or two ips are at fault and some would go even highier to include
> entire ISP allocation. This is probably talking about SPEWs and alike RBLs
That usually only happens when providers ignore abuse reports and don't do
something about their abusive customers. Thats how we do it at the AHBL - you
ignore abuse reports for long enough and pretend like the problem doesn't
exist, you get a /24 listed. You move the spammer to another block, inside
your network, and it grows to encompass the new block as well as the old one.
And it keeps going from there.
Thats how the rima-tde blocks that are in the AHBL got started - single /32s,
then as the spam and 419 scams came in faster, it expanded to /24s, and
finally after 2 dozen or so /24s blocked, I started going for /20s and larger.
Now I've got two /13s, and a /16 of theirs blocked until Telefonica decides to
contact us and discuss the situation with the abuse coming from their network.
When providers dont act on abuse, you have to put the pressure on. Sometimes,
that means forcing their legit customers to start to complain and thow a fit
with their provider over the blocks.
Yes, its ugly and unfair, but thats the only way to get them to act.
--
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org
The Abusive Hosts Blocking List
http://www.ahbl.org
