Jacks right on the money there. Traffic being generated and directed to my network uses bandwidth, something I/my company pays for. Since its a cost I am tasked to prove/disprove its benefit, so. Perhaps if one isn't probing and/or reporting utilization trends and usage this would not be so much an issue, but on my networks it is. If I were to take the stance of "oh but its not hurting anything" you bet most of my IPOPs would look like ripe pickings for the masses of kiddie scripters/hackers. Its part of the job to police and keep clean the networks I'm responsible for. As well I do the inverse, if I get a complaint about some activity from within one of my netblocks I do my best to follow up on it and see its not some new "feature" of M$ or a fat fingered configuration somewhere. I actually welcome the complaint as it may bring to my attention something/one that is gone wrong. Granted I'm not about to nit pick a few packets type in error by some poor sap on AOL, but in this case over 400 would enlighten a response to you/your provider. Perhap this is "old school" thinking but in my model of networks its a proven and working theory. Well just my 2¢s. -Joe /* "Well if all the bits are 1's then we charge more" "Why is that?" "Larger audience" */ ----- Original Message ----- From: "Jack Bates" <jbates@brightok.net> To: "Matthew S. Hallacy" <poptix@techmonkeys.org> Cc: "McBurnett, Jim" <jmcburnett@msmgmt.com>; <nanog@merit.edu> Sent: Saturday, April 05, 2003 12:16 PM Subject: Re: Abuse.cc ???
Matthew S. Hallacy wrote:
How was this traffic causing harm to your network? I'd rather have them dealing with people actively breaking into systems, DoS'ing, etc than terminating some customer who's probably infected with the latest microsoft worm.
Worm control is important. If we let them run rampant, then they will build up to a critical mass and become DOS quality. One of my transit customers was ignoring the worm reports I was sending him. Interesting enough, he DOS'd his own routers as several of the people infected were behind NAT generating 11,000 connections in less than a minute. Ever seen a C3640 with 11,000 NAT translations? In this case, it's a customer that didn't have high end equipment. If he'd had high end equipment, then others would suffer the performance hit, not to mention extra noise making it harder to detect purposeful scans and attacks. Some worms, like Code Red, cause a DOS on web enabled equipment as well. The F variant, for example, will shut down Net2Net dslams, some cisco equipement, and I'm sure a lot of other things.
-Jack