From: "Frank Bulk" <frnkblk@iname.com> Subject: RE: Abuse procedures... Reality Checks Date: Sat, 7 Apr 2007 16:20:59 -0500
If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end.
Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on
Robert: You still haven't answered the question: how wide do you block? You got an IP address that you know is offensive. Is your default policy to blacklist just that one, do the /24, go to ARIN and find out the size of that block and do the whole thing, or identify the AS and block traffic from the dozen if not hundreds of allocations they have? In only the first two cases is no research required, but I would hope that the network who wants to blacklist (i.e. GoDaddy) would do a little bit of (automated) legwork to focus their abuse control. You also have too dim and narrow a view of customer relationships. In my case the upstream ISP is a member-owned cooperative of which the sub-allocated space is either a member or a customer of a member. 1, 2, and 3 don't apply, rather, the coop works with their members to identify the source of the abuse and shut it down. It's not adversarial as you paint it to be. BTW, do you think the member-owned coop should be monitoring the outflow of dozens of member companies and hundreds of sub-allocations they have? And it's not *riddled* with abuse, it's just one abuser, probably a dial-up customer who is unwittingly infected, who while connected for an hour or two sends out junk. GoDaddy takes that and blacklists the whole /24, affecting both large and small businesses alike who are in other sub-allocated blocks in that /24. Ideally, of course, each sub-allocated customer would have their own /24 so that when abuse protection policies kick in and that automatically blacks out a /24 only they are affected, but for address conservation reasons that did not occur. Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Robert Bonomi Sent: Saturday, April 07, 2007 8:41 PM To: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks this
specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network.
Smaller operators, like those that require just a /29, often don't have
BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. that
infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process.
If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers, Why should _I_ absorb the costs that _they_ are unwilling to internalize? If they want to sell 'cheap' service, but not 'doing what is necessary', I see no reason to 'facilitate' their cut-rate operations. Those who buy service from such a provider, 'based on cost', *deserve* what they get, when their service "doesn't work as well" as that provided by the full-price competition. _YOUR_ connectivity is only as good as the 'reputation' of whomever it is that you buy connectivity from. You might want to consider _why_ the provider *keeps* that 'offensive' customer. There would seem to be only a few possible explanations: (1) they are 'asleep at the switch', (2) that customer pays enough that they can 'afford' to have multiple other customers who are 'dis-satisfied', or who may even leave that provider, (3) they aren't willing to 'spend the money' to run a clean operation. (_None_ of those seems like a good reason for _me_ to spend extra money 'on behalf of' _their_ clients.)