On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs
than
what is necessary?
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation.
Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it? I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism.
If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end.
Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network.
I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.")
Agreed.
Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work.
It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise.
Noise like that is inevitable part of the job.
We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?)
Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process.
2. "necessary" is a relative term.
Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overtly hostile networks.
That's my point: you want to spend time dealing with the other 8 networks because you blacked them, out, too?
That requires pro-active measures and it requires ones that have been proven to be effective.
If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it.
Agreed, but economics usually dictate otherwise.
So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now.
They want to run a business, too. So when you blacklist they will end up calling you asking for mercy, telling you that it's been cleaned up. Inevitably something/someone gets infected, you black them out, rinse, repeat.
If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence.
---Rsk