as an ISP who knows how to network, the only thing i request of you is
if your customer is spewing virus segments at me, you give me a way to
----- Original Message ----- From: "Paul Vixie" <vixie@vix.com> that prove
that to you (that costs me less time and aggravation than blackholing you), and that once proven, you will revoke the account until you're sure that the infestation, and the process errors which led to it, are gone. (same as if they were spamming, or controlling a ddos botnet, or etc.)
That's fine and we do deal with the problems in a reasonable amount of time, but we also prioritize them. If there are 5 bots on my network sending you a 2Mb flood, we'll shut them down or block the flood immediately, but if it's a single machine on a corporate network beind NAT and you are getting 4 port probes because it's infected with sasser, then we'll enter it into the support system and the customer will be contacted but the corp network will not be shut down until that contact has been made. Virus infections are a day to day occurance, not some critical emergency DOS condition and they should be handled with concern but not panic. Customers are the priority, not everyone else on the net. If you can't stand up to 4 port probes then you don't belong on todays internet. Now if you are talking about customers who remain infected for weeks, we won't allow that, once the contact has been made they've got to respond or we will shut them down. But the logs I saw posted here didn't appear to me to be the same customer, it just appeared to be a lot of probes over a long time meaning that the particular subnet is a very busy place with lots of worm bait. Virus infections on a subnet like that are to be expected. Trying to keep that subnet clean is like running around spinning plates on sticks. Geo. -George R.- NetLink Services, Inc.