[95939] in North American Network Operators' Group
Re: Abuse procedures... Reality Checks
daemon@ATHENA.MIT.EDU (Scott Weeks)
Wed Apr 11 14:54:27 2007
Date: Wed, 11 Apr 2007 11:53:29 -0700
From: "Scott Weeks" <surfer@mauigateway.com>
Reply-To: <surfer@mauigateway.com>
To: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
: if someone cannot get out somewhere, they're obviously 
: going to get in touch with me as to why. Once this is 
: done, it is explained
: I've always contacted someone
: after about 3 attempts at getting someone to assess 
: their network
I know from experience this doesn't scale into the hundreds of thousands of customers and can only imagine the big ass eyeball network's scalability issues...
scott
--- sil@infiltrated.net wrote:
From: "J. Oquendo" <sil@infiltrated.net>
To: nanog@merit.edu
Cc: Warren Kumari <warren@kumari.net>
Subject: Re: Abuse procedures... Reality Checks
Date: Wed, 11 Apr 2007 13:49:40 -0400
Warren Kumari wrote:
>
> So, I have always wondered -- how do you customers really react when 
> they can no longer reach www.example.com, a site hosted a few IPs away 
> from www.badevilphisher.net? And do you really think that you blocking 
> them is going to make example.com contact their provider to get things 
> fixed?
>
You confused two things.
1) I do my best to stop malicious traffic from leaving my network. With
this said, if someone cannot get out somewhere, they're obviously going
to get in touch with me as to why. Once this is done, it is explained
to them that either their machine, or a machine on their network was
doing something fuzzy therefore they were blocked. Most are actually
thankful that it was pointed out to them as opposed to having to wait
for Security Company X to update its virus/spamware definitions.
2) I do not block getting TO company X at first signs of garbage coming
into my network from them. I've always contacted someone to some degree
so don't misconstrue my actions as "I block the first packets I see."
On the contrary I only block CIDR's after about 3 attempts at getting
someone to assess their network. After that, I begin with services.
This is my network so this is how it pans out... Spam? A CIDR to my
email ports are blocked. SSH brute forcing, etc., those ports are
blocked. Network who's blocked on ports continues, everything is then
blocked.
>
> Have you considered that being a little politer and not insulting 
> everyone on the list might be a more constructive way of getting your 
> point across -- if I were to call you a "big, fat, doodoo head" you 
> would probably be less receptive than if I didn't...
>
What does being polite and "matter of factly" have to do with
administrators cleaning up their networks? Should I beg an
administrator of some network to be polite and not refer me to their
generic abuse desk who'll do nothing about the issue?
I actually am a little too polite in the fact that 1) I'm doing
network operators a favor pointing them out to rogue hosts on
THEIR networks not mines. If they want to continue hosting said
rogue idiots, their problem. I won't be allowing it into my range.
If you knew me personally, or have dealt with me, I can guarantee
you within minutes of you contacting me for something I would be
on it. I as an admin/engineer whatever you want to call me would
want to make sure that nothing internal to me is affecting anyone
else since it is likely to make things more difficult for me if
left unchecked.
So on issues of politeness, I am being polite contacting people.
I'm being double polite posting evil doing networks on my personal
site so others can be aware that "These networks are infected.
Here are there hosts if you want to block them." I do this on my
own spare time, my own expense, and my own filtering of the
denials of service that ensue when some botnet reject sees me
post a percentage of his botnet. So please don't my messages as
anything other than "Hey... When is someone going to deal with
this?" frustration targeted at those with the power to do actually
something about it instead of waiting for someone else to take
the first move.
Analogy: You live in a house and sweep your property. Your
neighbors don't. Would you stop sweeping your house? Would you
keep your house dirty simply because the majority around you
do? I'm sure if you convinced the most visible neighbor to
make a change, the others would follow suit. Heck in some
areas those neighbors who didn't comply would face fines
after some point. Why not bring this chain of thought to a
network you maintain/manage.
As for documentation on this... There is PLENTY of it. Why should
I write another document no one would follow. If some can't follow
normal standards set by governmental bodies (for lack of better
terms), what makes you think someone would say "Gee... That
Oquendo sure wrote a nice document... Let me follow it" How
about following standards and using good old fashioned common
sense.
-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 
The happiness of society is the end of government.
John Adams