On Fri 2016-Jul-29 07:50:09 -0500, J. Oquendo <joquendo@e-fensive.net> wrote:
On Fri, 29 Jul 2016, Rich Kulawiec wrote:
On Thu, Jul 28, 2016 at 11:30:12PM +0000, Donn Lasher via NANOG wrote:
If we want to be accurate about it, Cloudflare doesn???t host the DDoS, they protect the website of seller of the product. We shouldn???t be de-peering Cloud Flare over sites they protect any more than we would de-peer GoDaddy over sites they host, some of which, no doubt, sell gray/black market/illegal items/services.
The only way to make action against them effective is to do it broadly, do it swiftly, and do it permanently.
In my ramblings on "Why network operators love filth", I associate a landlord that knowingly allows his/her tenant to sell drugs. In America, your house is gone. This should be the case on the Internet as well. Keep sending out crap and ARIN should yank your IP space after everyone else has de-peered you.
So let's get to these horrible analogies of "weapons" and whether or not CloudFlare is solely the gun manufacturer and is not responsible whether or not their ARCLOUD rifle was used to shoot up a school killing children.
Analogy: Hotel Cloud is a pretty big hotel in the city. They have 5,000 rooms. When you walk by, their tenants are throwing rocks out of the windows, garbage, etc. People complain to the hotel management that does nothing about it. Hotel Cloud's response is: 'Well this is really not our problem, we only rent a room, what the occupant does...' --- And this makes sense to how many of you who'd respond: "Well I don't know about you but I want to walk around freely" Freely? At some point in time, you WILL walk by this hotel, or another that WILL become just like it. Why? Because there will be no one to say: "Hey this is wrong buck stops here..."
I have seen these discussions on this list for so many years, and there are those that want to do good, but won't lift a finger out of fear of the herd/praetorian guard. Anyone saying it cannot be done, is a coward bowing to the dollar (euro/yen/whatever). The analogy above is spot on...
This may seem pedantic, but no it's not, at least not in the Cloudflare situation. In the Hotel Cloudflare example, the miscreants don't hurl the rocks and filth out of the hotels' windows. They set up a storefront/shop in the hotel to sell rock- and filth-slinging for hire, with the actual rock- and filth-flinging being done elsewhere. That said: I don't believe the hotel can turn a blind eye to rock- and filth-slinging being peddled from their premises without consequence. If we caught someone running a booter web storefront on our net, they'd be gone. And the premises from which rock- and filth-slinging occurs (networks that originate garbage traffic, especially those that permit source address spoofing) also need to be held accountable. Again: not disagreeing that we need to hold people accountable; just clarifying the analogy for this case. I've cut off service for customer gear that was spewing garbage where they failed to do anything about it. We generally give an initial grace period and assist the customer however we can in getting their stuff cleaned up (or try to drop just the abusive traffic to start and leave the rest of their feed). But if you keep getting repeatedly compromised, fail to protect your stuff or clean it up, and keep spewing ever more varied garbage, you've proven yourself incapable of running an Internet-facing service and I'll quit trying to play whack-a-mole and just drop you. And yes: BCP38: we haz it. We're not at the scale of the big boys, but we try to do our part to run a clean shop.
...with the only difference being a hotel is physical, and on the Interwebs, out of sight out of mind.
This is until one of your relatives' sites gets taken offline by some bored moron via DDoS, and there go their sales, there goes their business. THEN and only THEN will some of the naysayers say: "Shit we could have stopped it."
Do you need law enforcement to be moral? "I can see that person is getting pulverized by some drunken idiot better not intervene because well... I want to walk freely..." That beating can come full circle, where beating can be DDoS, a sophisticated attack, malware.
I am so tempted to start a shaming site for networks including all of the big boys with detailed records showing how abuse was contacted, no one did nothing, and oh by the way... "Are you sure you want to host or transit with this company? Last I checked via logs, they were a filthy network that catered to peds, RBN folk, etc" Maybe when some of you guys (that sit around twiddling fingers) see your companies all over the place, maybe then you'll think about doing the right thing.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal