On Sat, Apr 07, 2007 at 04:20:59PM -0500, Frank Bulk wrote:
Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it?
Because experience...long, bitter experience...strongly indicates that what happens today often merely presages what will happen tomorrow. Because I haven't got unlimited time. Or money. Or resources. Because I haven't got unlimited WHOIS queries. (Although I and everyone else *should* have those. There are no valid reasons to rate-limit any form of WHOIS query.) Because there are way, WAY too many incompetently-managed networks whose operators can often be heard complaining about the abuse inbound to them at the same time they fail to take rudimentary measures to control the abuse outbound from them. <cough> port 25 blocking <cough> Because I was more patient for the first decade or two, and it proved to be a losing strategy. Because This Is Not My Problem. If by chance someone benign has chosen to locate their operation in known-hostile, known-negligently-operated network space, then their failure to perform due diligence may have consequences for them.
I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism.
1. Gratuitously labeling carefully-considered measures as random is not a route to productive conversation. 2. It is hardly "vigilantism" to take passive measures to protect one's network/systems/users from hostile activity. Doubly so when those measures consist merely of a refusal to grant a *privilege* after it's been repeatedly, systemically abused. ---Rsk