On 8/15/12 10:24 AM, Leo Bicknell wrote:
In a message written on Wed, Aug 15, 2012 at 08:01:15AM -0700, joel jaeggli wrote:
Remediation of whatever wrong with a given prefix is an active activity, it's not likely to go away unless the prefix is advertised. Actually, that's not true on two fronts.
From a business relationship front, if the problem is contacting the right people when the "right people" have been arrested and now some police agent now needs to generate the right paperwork, produce court paperwork, see a judge, time will absolutely help. The right people in this case are the one's with the broken PC's. The misbehavior associated with the prefix was dealt with some time ago. I can see a scenario here where it might have been worked out to transfer the block to the appropriate law enformcement agency for a year (with them paying the usual fees) such that they could wind this down in an orderly way. Courts already did that, name-servers with that prefix range were operated by ISC from november 9th 2011 to July 9th 2012 at the request of the FBI. If the problem is technical badness, the block has appeared on blacklists or grey lists, or been placed in to temporary filters to block DNS changer badness time will also help. Most (although not all) of those activities are aged out. As ISP's stop seeing hits on their DNS changed ACL's because the machines have been cleaned up they will remove them. Greylists will age out.
Indeed both of these is why there is a "cooling off" period in place now at all RIR's. They have been proven to work. Previously in some cases they were 6-12 months though, and what the community has said is that given that we're out of IPv4 those time periods should be shorter. The question becomes how much shorter? Clearly holding them back for 1 day isn't long enough to make any business or technical difference. The community is saying 6-12 months is too long.
I am saying 6 weeks sounds too short to me, but if it is appropriate for "ordinary" blocks there needs to be an exception for extrodinary ones. From time to time we hear about blocks like DNSChanger that millions of boxes are configured to hit, Were configured to hit, if they still are they've been broken for a while, or are being kept on life support by ISPs.
in any event they're aren't millions anymore there are perhaps low thousands of broken computers.
or I remember the University of Wisconsin DDOSed by NTP queries from some consumer routers. When the box still has high levels of well known, active badness, perhaps it should be held back longer. The university of Wisconsin seems like an unlikely candidate to give up it's prefix over that.
http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC39
In the case of dns changer, I would think that if you don't have working DNS for long enough you're going to have your computer fixed or throw it out. if you were an operator using that prefix to prevent customer breakage you should be on notice that's not sustainable indefinitely or indeed for much longer. The problem here isn't just the infected computers. Would you want to receive a netblock from an RIR that came with tens or hundreds of megabits of DDOS, I mean, background noise when you turned it on? It is unlikely in the extreme that what remains when that prefix is advertised is 100s of megabits of DOS. that said as a potential recipient of such a prefix, I'd probably be willing to accept a fair amount of garbage if the alternative is not having one. I fully expect quality of ipv4 prefixes available for re-assignment to continue to drop. Whoever receives this block is in for a world of hurt.