* Simon Lockhart:
On Sun Sep 18, 2016 at 03:58:57PM +0200, Florian Weimer wrote:
* Tom Beecher:
Simon's getting screwed because he's not being given any information to try and solve the problem, and because his customers are likely blaming him because he's their ISP.
We don't know that for sure. Another potential issue is that the ISP just cannot afford to notify its compromised customers, even if they were able to detect them.
I'd like to think that we're pretty responsive to taking our users offline when they're compromised and we're made aware of it - either through our own tools, or through 3rd party notifications.
Okay, then perhaps my guess of the ISP involved is wrong.
The process with Sony goes something like:
- User reports they can't reach PSN - We report the Sony/PSN, they say "Yes, it's blocked because that IP attacked us" - We say "Okay, that's a CGNAT public IP, can you help us identify the which inside user that is - (timestamp,ip,port) logs, or some way to identify the bad traffic so we can look for it ourselves" - Sony say no, either through silence, or explicitly. - We have unhappy user(s), who blame us.
Yes, that's not very constructive. Out of curiosity, how common is end-to-end reporting of source/destination port information (in addition to source IP addresses and destination IP addresses)? Have the anti-abuse mechanisms finalyl caught on with CGNAT, or is it possible that the PSN operator themselves do not have such detailed data?