Re: GLBX De-Peers Intercage [Was: RE: Washington Post: Atrivo/Intercag e, w hy are we peering with the American RBN?]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Paul Ferguson" <fergdawg@netzero.net> wrote:
-- "Marc Sachs" <marc@sans.org> wrote:
http://cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0
My only concern here is that by the publicity this issue continues to receive, these activities will just move else where, like scurrying cockroaches (like what happened with AS40989).
[some elided] I guess my effort to evoke commentary on NANOG failed. My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.? Seriously -- I think this is an issue which needs to be addressed here. ISPs cannot continue to sweep this issue under the proverbial carpet. Is this an issue that network operations folk don't really care about? - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIu6xHq1pz9mNUZTMRAo1gAKCT0QCc65W1z8C5gsegsm6zBWDDCwCeLKac 7nVL8XmqOZiFfD18hFSFL/M= =8pXG -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Mon, 01 Sep 2008 08:48:12 -0000, Paul Ferguson said:
My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.?
Seriously -- I think this is an issue which needs to be addressed here. ISPs cannot continue to sweep this issue under the proverbial carpet.
Is this an issue that network operations folk don't really care about?
If somebody's paying you $n/megabyte for transit/connectivity, what's your incentive to make them clean up their act and get rid of their P2P filesharing traffic, spam traffic, and so on? Serious question, that - how many long-haul providers would be in serious trouble if all the spam and filesharing suddenly stopped and only legitimate traffic travelled through their pipes?
On Mon, Sep 01, 2008 at 05:36:47AM -0400, Valdis.Kletnieks@vt.edu wrote:
Serious question, that - how many long-haul providers would be in serious trouble if all the spam and filesharing suddenly stopped and only legitimate traffic travelled through their pipes?
define "legitimate" --bill
* > On Mon, Sep 01, 2008 at 05:36:47AM -0400, Valdis.Kletnieks@vt.edu wrote:
Serious question, that - how many long-haul providers would be in serious trouble if all the spam and filesharing suddenly stopped and only legitimate traffic travelled through their pipes?
define "legitimate"
Traffic in accordance with their AUP. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Valdis.Kletnieks@vt.edu wrote:
On Mon, 01 Sep 2008 08:48:12 -0000, Paul Ferguson said:
Is this an issue that network operations folk don't really care about?
If somebody's paying you $n/megabyte for transit/connectivity, what's your incentive to make them clean up their act and get rid of their P2P filesharing traffic, spam traffic, and so on?
What is your price for cocaine?
On Mon, 01 Sep 2008 09:21:24 CDT, "Laurence F. Sheldon, Jr." said:
Valdis.Kletnieks@vt.edu wrote:
On Mon, 01 Sep 2008 08:48:12 -0000, Paul Ferguson said:
Is this an issue that network operations folk don't really care about?
If somebody's paying you $n/megabyte for transit/connectivity, what's your incentive to make them clean up their act and get rid of their P2P filesharing traffic, spam traffic, and so on?
What is your price for cocaine?
No, seriously.. If, as some estimates have it, 80% of the traffic is P2P, and as other estimates have it, 90% of that is copyright-infringing, then if that traffic disappears, anybody who was selling transit for that traffic is going to take a *big* revenue hit. And similarly, if you're selling transit to somebody who's then (eventually) reselling a pipe to Atrivio/Intercage or the RBN, turning that somebody off because they won't turn off the bad guys is going to make a dent in the bottom line. I think it's very disingenuous to pretend that there have been *no* providers that haven't said to themselves "We're selling to scum, but it pays the bills, and we'd be in bankruptcy court otherwise..." The fact that bad guys don't seem to have *any* trouble getting connectivity once they finally *do* get kicked off a provider is proof enough that: a) There exist providers that are willing to take money from scum. b) We won't get rid of the scum until we admit (a) is true.
On Mon, 01 Sep 2008 11:08:20 -0400 Valdis.Kletnieks@vt.edu wrote:
a) There exist providers that are willing to take money from scum. b) We won't get rid of the scum until we admit (a) is true.
I mostly agree with you -- but I get very worried about who defines "scum". Consider the following cases, which I will assert are not very far-fetched: (a) China labels Falun Gong as "scum" and demands that international ISPs not carry it if they want to do business in China (b) Russia labels critics of Putin and Medvedev as "scum" and demands that international ISPs bar their traffic if they want to do business in Russia (c) Saudi Arabia denounces Internet pornographers as "scum" and demands that ISPs bar their traffic if they want their countries to be able to purchase oil (c) France and Germany label EBay as "scum" for not barring sales of Nazi memorabilia and demands that international ISPs not carry it if they want to do business in the EU (d) The RIAA and MPAA label file-sharers as "scum" and deny combined TV/ISP companies (cable ISPs, Verizon FIOS, etc.) access to any *broadcast* content if the ISP side doesn't crack down on file-sharing. These are slightly far-fetched, but only slightly. I have a nice real-world example that I need to verify is public first, but it's directly on this point. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Steven M. Bellovin wrote:
On Mon, 01 Sep 2008 11:08:20 -0400 Valdis.Kletnieks@vt.edu wrote:
a) There exist providers that are willing to take money from scum. b) We won't get rid of the scum until we admit (a) is true.
I mostly agree with you -- but I get very worried about who defines "scum".
Who defines "scum" when you get the email announcing a solution to your most urgent sexual problems? Who defines "scum" when the guy shows up at your office with a lot of the world's finest wrist watches for sale at unbelievably low prices? Who defines "scum" when you get the pallet of toner nobody remembers ordering? Who defines "scum" when the seedy character you never met before shows up to take your daughter out?
On Mon, 01 Sep 2008 11:33:21 EDT, "Steven M. Bellovin" said:
On Mon, 01 Sep 2008 11:08:20 -0400 Valdis.Kletnieks@vt.edu wrote:
a) There exist providers that are willing to take money from scum. b) We won't get rid of the scum until we admit (a) is true.
I mostly agree with you -- but I get very worried about who defines "scum". Consider the following cases, which I will assert are not very far-fetched:
For the sake of discussion, I was calling "scum" "any entity that your morals say you shouldn't accept money from, but your accountant says you should".... What that makes your accountant... is another discussion entirely :) However, I *do* agree with the problem of "scum with politico-economic leverage"....
There's this concept known as "dual criminality" in such situations, when you're looking at international prosecutions (or whatever). So, while lesé majesté - insult to the king - is a crime in thailand (liable to get you lynched before you get prosecuted, at that) that doesnt mean the thai authorities can do much about youtube videos .. On the other hand, child pornography, malware, illegal sale of prescription narcotics etc are generally criminal acts around the world. regards srs On Mon, Sep 1, 2008 at 9:03 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
I mostly agree with you -- but I get very worried about who defines "scum". Consider the following cases, which I will assert are not very far-fetched:
(a) China labels Falun Gong as "scum" and demands that international ISPs not carry it if they want to do business in China
Suresh, In a parallel universe we're considering profiles for "licit use" of some mechanism. One element of a multi-part test to distinguish "licit" from "illicit" was the presence or absence of known signatures for malware. After some thought it was understood that this test was equivalent to the node subject to the test being "cleaner" than the average for network attached consumer devices, and therefore not realistic. Cheers, Eric Suresh Ramasubramanian wrote:
There's this concept known as "dual criminality" in such situations, when you're looking at international prosecutions (or whatever).
So, while lesé majesté - insult to the king - is a crime in thailand (liable to get you lynched before you get prosecuted, at that) that doesnt mean the thai authorities can do much about youtube videos ..
On the other hand, child pornography, malware, illegal sale of prescription narcotics etc are generally criminal acts around the world.
regards srs
On Mon, Sep 1, 2008 at 9:03 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
I mostly agree with you -- but I get very worried about who defines "scum". Consider the following cases, which I will assert are not very far-fetched:
(a) China labels Falun Gong as "scum" and demands that international ISPs not carry it if they want to do business in China
Eric, as you say, it is a multi part test. With fairly clear distinctions between a compromised node and one under the direct control of a criminal So while it is unrealistic when viewed in isolation, put together with other factors it starts to make a lot of sense. thanks srs On Wed, Sep 3, 2008 at 7:59 AM, Eric Brunner-Williams <brunner@nic-naa.net> wrote:
In a parallel universe we're considering profiles for "licit use" of some mechanism. One element of a multi-part test to distinguish "licit" from "illicit" was the presence or absence of known signatures for malware. After some thought it was understood that this test was equivalent to the node subject to the test being "cleaner" than the average for network attached consumer devices, and therefore not realistic.
On Mon, Sep 01, 2008 at 11:08:20AM -0400, Valdis.Kletnieks@vt.edu wrote:
What is your price for cocaine?
No, seriously.. If, as some estimates have it, 80% of the traffic is P2P, and as other estimates have it, 90% of that is copyright-infringing, then if that traffic disappears, anybody who was selling transit for that traffic is going to take a *big* revenue hit.
Not for long. The *problem* is edge customers having to continually increase the size of their pipes to make room for the good stuff amongst the crap. If the crap goes away, there will then be room for the chicken and egg problem with the steady march of IPTV etc to finally take off for real, I should think...
I think it's very disingenuous to pretend that there have been *no* providers that haven't said to themselves "We're selling to scum, but it pays the bills, and we'd be in bankruptcy court otherwise..."
Sure. And those are the people we don't *care* if they take it in the wallet, no? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
On Mon, Sep 01, 2008 at 09:21:24AM -0500, Laurence F. Sheldon, Jr. wrote:
Valdis.Kletnieks@vt.edu wrote:
On Mon, 01 Sep 2008 08:48:12 -0000, Paul Ferguson said:
Is this an issue that network operations folk don't really care about?
If somebody's paying you $n/megabyte for transit/connectivity, what's your incentive to make them clean up their act and get rid of their P2P filesharing traffic, spam traffic, and so on?
What is your price for cocaine?
well... http://www.narcoticnews.com/Cocaine/Prices/USA/Cocaine_Prices_USA.html has some pointers - if your shopping. --bill
On Mon, 1 Sep 2008, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -- "Paul Ferguson" <fergdawg@netzero.net> wrote:
-- "Marc Sachs" <marc@sans.org> wrote:
http://cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0
My only concern here is that by the publicity this issue continues to receive, these activities will just move else where, like scurrying cockroaches (like what happened with AS40989).
[some elided]
I guess my effort to evoke commentary on NANOG failed.
My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.?
Seriously -- I think this is an issue which needs to be addressed here. ISPs cannot continue to sweep this issue under the proverbial carpet.
Is this an issue that network operations folk don't really care about?
NANOG is on vacation. Wait one more day. :)
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFIu6xHq1pz9mNUZTMRAo1gAKCT0QCc65W1z8C5gsegsm6zBWDDCwCeLKac 7nVL8XmqOZiFfD18hFSFL/M= =8pXG -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 08-09-01 à 10:48, Paul Ferguson a écrit :
My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.?
As mentioned in private email, I think where there is *evidence* of *criminal* activity, show this to a judge, get the judge to order ARIN to revoke the ASN/netblock, the traffic then becomes bogon and can/ should be filtered. If there can be a legal procedure established for this it may even be able to be done quickly in specific instances. Of course a parallel procedure would be necessary for each bit of the ROW.. - -w - -- William Waites <ww@styx.org> http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki7vTwACgkQQno/NiEw6fXGVQCgqMoZNjIp5pfPracBrNfFo61g dN8AoKi+f6H7iWgNrG/OIL8yG6WmmTw1 =roam -----END PGP SIGNATURE-----
On Mon, Sep 01, 2008, William Waites wrote:
As mentioned in private email, I think where there is *evidence* of *criminal* activity, show this to a judge, get the judge to order ARIN to revoke the ASN/netblock, the traffic then becomes bogon and can/ should be filtered.
Oh come on, how quickly would that migrate to enforcing copyright infringement? Or if you're especially evil, used by larger companies to bully smaller companies out of precious IPv4 space? I reckon having your IPv4 space revoked for more than a few hours would upset most if not all small players. Please find an alternative method of tidying up the trash and don't stir that nest of hornets. Adrian
On Mon, 1 Sep 2008, Adrian Chadd wrote:
On Mon, Sep 01, 2008, William Waites wrote:
As mentioned in private email, I think where there is *evidence* of *criminal* activity, show this to a judge, get the judge to order ARIN to revoke the ASN/netblock, the traffic then becomes bogon and can/ should be filtered.
Proving criminal activity is for law enforcement. Maintaining our networks against DDoS and our customers against being massively compromised, now that's something else. If a layer had become _that_bad_ I don't want them communicating with me, and if I am their peer, I don't want to peer with them. It's an individual choice by each provider, and we can lok at them in any light we like.
Oh come on, how quickly would that migrate to enforcing copyright
Copyright is a legal issue which does not trouble our networks, so if you get a legal paper asking you to do so, it's a whole other business. Don't muddy the water. The issue is complicated enough as it is: do we want such dirty providers to massively compromise the Internet, our customers, or through us? Different answers from different people. If law enforcement was capable of doing the job, we wouldn't have had to discuss this.
infringement? Or if you're especially evil, used by larger companies to bully smaller companies out of precious IPv4 space?
I reckon having your IPv4 space revoked for more than a few hours would upset most if not all small players.
Please find an alternative method of tidying up the trash and don't stir that nest of hornets.
Adrian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 08-09-01 à 12:18, Adrian Chadd a écrit :
Oh come on, how quickly would that migrate to enforcing copyright infringement? Or if you're especially evil, used by larger companies to bully smaller companies out of precious IPv4 space?
With appropriate controls. For example that the entity in question exists entirely or substantially for illegal purposes. Illegal does not mean "in violation of an agreement", rather "against the law". And such an action should not be possible for a private person to bring.
Please find an alternative method of tidying up the trash and don't stir that nest of hornets.
Workeable suggestions? So far I've seen, * organized shunning * BGP blacklists Cheers, - -w - -- William Waites <ww@styx.org> http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki7xI8ACgkQQno/NiEw6fXvfgCeO4X0qbRg05VPCMC4jesmvFMd dRAAniTVdxJEVx6ecR+C1Br2INpYJ2pe =6zQj -----END PGP SIGNATURE-----
On Mon, 1 Sep 2008, William Waites wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Le 08-09-01 à 12:18, Adrian Chadd a écrit :
Oh come on, how quickly would that migrate to enforcing copyright infringement? Or if you're especially evil, used by larger companies to bully smaller companies out of precious IPv4 space?
With appropriate controls. For example that the entity in question exists entirely or substantially for illegal purposes. Illegal does not mean "in violation of an agreement", rather "against the law". And such an action should not be possible for a private person to bring.
Please find an alternative method of tidying up the trash and don't stir that nest of hornets.
Workeable suggestions? So far I've seen,
* organized shunning * BGP blacklists
I can see the "don't be the Internet's firewall" bunch jumping up and out of their seats, spilling their coffees. How dare you destroy so many keyboards? :)
Cheers, - -w - -- William Waites <ww@styx.org> http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAki7xI8ACgkQQno/NiEw6fXvfgCeO4X0qbRg05VPCMC4jesmvFMd dRAAniTVdxJEVx6ecR+C1Br2INpYJ2pe =6zQj -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 08-09-01 à 12:34, Gadi Evron a écrit :
Workeable suggestions? So far I've seen,
* organized shunning * BGP blacklists
I can see the "don't be the Internet's firewall" bunch jumping up and out of their seats, spilling their coffees. How dare you destroy so many keyboards?
I didn't mean to imply that either of those was actually workeable ;) - -w - -- William Waites <ww@styx.org> http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAki7xyYACgkQQno/NiEw6fVbjACgx+BrvXakg1X5e2DEzJ2feqdi KGcAn1a7R2CrEmvw755UVRv0lhztz8tU =Ibnk -----END PGP SIGNATURE-----
fergdawg@netzero.net ("Paul Ferguson") writes:
My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.?
depending on what you mean by "we", the immortal words of many MAPS lawsuits spring to mind here: "illegal conspiracy" and "prospective economic advantage." simply put, if a bunch of like-minded folks want to get together and decide that a given ISP is behaving badly and all decide to deny peering and transit to that ISP, then you should all first divorce your husband or wife after putting all joint assets in his or her name.
Seriously -- I think this is an issue which needs to be addressed here. ISPs cannot continue to sweep this issue under the proverbial carpet.
Is this an issue that network operations folk don't really care about?
the great unsolved problem in every network is "other people's networks". whether that's networks who won't peer with you, or networks who drop your customers' packets either because of shaping or overcommit, or networks who sell service to people you hate and then run a crappy abuse desk, it's all one thing: OPN: Other People's Networks. OPN's are an unmanageable risk to all of us. netops people generally sweep OPNs under the rug, yes. -- Paul Vixie
Any discussion on this or any other public list about joint action could be portrayed as conspiracy. As Paul said, set your financial and carreer affairs in order before doing so. Better for each company's netops to quietly blacklist IPs/netblocks/ASNs as they each see fit. If the traffic coming/going to there is truly garbage, then customers won't complain. If there are valid concerns, then operators can work with their customers individiually. Frank -----Original Message----- From: Paul Vixie [mailto:vixie@isc.org] Sent: Monday, September 01, 2008 12:15 PM To: nanog@merit.edu Subject: Re: GLBX De-Peers Intercage [Was: RE: Washington Post: Atrivo/Intercag fergdawg@netzero.net ("Paul Ferguson") writes:
My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.?
depending on what you mean by "we", the immortal words of many MAPS lawsuits spring to mind here: "illegal conspiracy" and "prospective economic advantage." simply put, if a bunch of like-minded folks want to get together and decide that a given ISP is behaving badly and all decide to deny peering and transit to that ISP, then you should all first divorce your husband or wife after putting all joint assets in his or her name.
Seriously -- I think this is an issue which needs to be addressed here. ISPs cannot continue to sweep this issue under the proverbial carpet.
Is this an issue that network operations folk don't really care about?
the great unsolved problem in every network is "other people's networks". whether that's networks who won't peer with you, or networks who drop your customers' packets either because of shaping or overcommit, or networks who sell service to people you hate and then run a crappy abuse desk, it's all one thing: OPN: Other People's Networks. OPN's are an unmanageable risk to all of us. netops people generally sweep OPNs under the rug, yes. -- Paul Vixie
Paul Vixie said on 9/1/08 "OPN's are an unmanageable risk to all of us. Netops people generally sweep OPNs under the rug, yes." I agree completely, but how do we begin to address this problem? Words are not enough, we need some action and that action, whatever it may be will make the public network a better place for all of us. Divorcing my wife after 6 hours in the car with a newborn and a 4 day visit with my in-laws has a very real appeal to it. Hmmm... most sincerely, Richard Golodner
Paul Ferguson wrote:
My next question to the peanut gallery is: What do you suggest we should do on other hosting IP blocks are are continuing to host criminal activity, even in the face of abuse reports, etc.?
Seriously -- I think this is an issue which needs to be addressed here. ISPs cannot continue to sweep this issue under the proverbial carpet.
Is this an issue that network operations folk don't really care about?
IMHO policy should only be dictated by the edge, never upstream of that point. Now whether the edge is defined as the edge provider or the actual end-user is up for debate. I don't want my upstreams to make a decision what my SP and thus my customers can get to. My customers can't contact my upstream and argue for listing or delisting a given IP like they can with me. They can't speak with their dollars to my upstream like that can with me, their edge provider. Then again should I as the edge provider filter for my customers? Value-add service or a bonus service? It depends on your point of view. Justin
participants (16)
-
Adrian Chadd -
bmanning@vacation.karoshi.com -
Eric Brunner-Williams -
Florian Weimer -
Frank Bulk -
Gadi Evron -
Jay R. Ashworth -
Justin Shore -
Laurence F. Sheldon, Jr. -
Paul Ferguson -
Paul Vixie -
Richard Golodner -
Steven M. Bellovin -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu -
William Waites