RE: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs
than
what is necessary?
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation.
Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it? I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism.
If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end.
Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network.
I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.")
Agreed.
Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work.
It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise.
Noise like that is inevitable part of the job.
We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?)
Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process.
2. "necessary" is a relative term.
Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overtly hostile networks.
That's my point: you want to spend time dealing with the other 8 networks because you blacked them, out, too?
That requires pro-active measures and it requires ones that have been proven to be effective.
If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it.
Agreed, but economics usually dictate otherwise.
So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now.
They want to run a business, too. So when you blacklist they will end up calling you asking for mercy, telling you that it's been cleaned up. Inevitably something/someone gets infected, you black them out, rinse, repeat.
If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence.
---Rsk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 7, 2007, at 4:20 PM, Frank Bulk wrote:
Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network.
Well it sounds like the original poster is trying to punish the "network operator" by intentionally blocking innocent bystanders and therefore causing them grief so if that is your goal then a /24 seems like a decent arbitrary size. You are mostly sure you won't block across providers that way at least. However, even if this isn't your goal it can be really hard sometimes to have any clue how big a netblock is for a particular IP address. ARIN may make small folks like us jump through hoops but apparently this isn't true for larger providers. We often run into abuse from IP addresses (or a range of addresses) where there is no rwhois sever and the entire /19 or larger is SWIPed as a single netblock. I've seen some really, really large blocks with absolutely no sub- delegation when clearly the addresses are sub-delegated. We will often temporary block a /24 on email blacklists for instance. When you're getting pounded from a range of 30 or 50 IP addresses and can't get any response from the upstream then it is farily obvious they are less than white hat so we're willing to live with the collateral damage. Chris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~ A stupidity tax Hubris Communications Inc www.hubris.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGA6nElUlCLUT2d0RAkWzAJ4mjXT5gwB0psG7e/YhmzUcFXhksgCgyx2g 5VDgB0KMLyMFIdVzrPaPGJI= =E5xl -----END PGP SIGNATURE-----
Frank Bulk wrote:
[[Attribution deleted by Frank Bulk]]
Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work.
It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Please play the bonus round: try again.
[[Attribution deleted by Frank Bulk]]
Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up. Figuring out
Stephen: Are you saying that if there's nefarious IP out there let's automatically blacklist the /24 of that IP? J. Oquendo was describing his own methods and they sounded quite manual, manual enough that he's getting down to a /8 as necessary to blacklist a non-responsive operator. My point is that if you're going to block something, either block the /32 or do the research to justify blocking a larger group. And despite ToS, I think many operators are running automated lookups, and there are lots of examples out there for ARIN. Frank -----Original Message----- From: Stephen Satchell [mailto:list@satchell.net] Sent: Saturday, April 07, 2007 5:44 PM To: frnkblk@iname.com Cc: nanog@nanog.org Subject: Re: Abuse procedures... Reality Checks Frank Bulk wrote: that
network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work.
It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Please play the bonus round: try again.
Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't.
you should only spend resources on activities which will benefit you, of course. research into a /N to find out which /(M>N)'s are good and which are evil can pay back in a lower false-positive rate, which will matter to some blockers more than others.
It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work.
as several others have pointed out, detailed records are often unavailable and are sometimes wrong. my theory is that folks don't want to put abuse contact info into WHOIS that will just cause them to be reportbombed with low quality automated trash having no particular format, lacking useful detail, and often complaining to the wrong place. (for example, as one of the WHOIS contacts for AS112, i am reportbombed frequently by folks whose reportbot's best guess at who-spammed-them is an RFC 1918 address.)
It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there.
perhaps appropos of this, http://www.arin.net/announcements/article_352.html says that there's a movement afoot to remove one of the WHOIS query limits at ARIN. if someone here thinks that a TOS change that permitted automated lookups for the purpose of abuse reporting would be good, then in the ARIN region, http://www.arin.net/policy/irpep.html says how you can suggest such. -- Paul Vixie
On Sat, Apr 07, 2007 at 04:20:59PM -0500, Frank Bulk wrote:
Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it?
Because experience...long, bitter experience...strongly indicates that what happens today often merely presages what will happen tomorrow. Because I haven't got unlimited time. Or money. Or resources. Because I haven't got unlimited WHOIS queries. (Although I and everyone else *should* have those. There are no valid reasons to rate-limit any form of WHOIS query.) Because there are way, WAY too many incompetently-managed networks whose operators can often be heard complaining about the abuse inbound to them at the same time they fail to take rudimentary measures to control the abuse outbound from them. <cough> port 25 blocking <cough> Because I was more patient for the first decade or two, and it proved to be a losing strategy. Because This Is Not My Problem. If by chance someone benign has chosen to locate their operation in known-hostile, known-negligently-operated network space, then their failure to perform due diligence may have consequences for them.
I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism.
1. Gratuitously labeling carefully-considered measures as random is not a route to productive conversation. 2. It is hardly "vigilantism" to take passive measures to protect one's network/systems/users from hostile activity. Doubly so when those measures consist merely of a refusal to grant a *privilege* after it's been repeatedly, systemically abused. ---Rsk
Because I haven't got unlimited WHOIS queries. (Although I and everyone else *should* have those. There are no valid reasons to rate-limit any form of WHOIS query.)
Yes there are. The current whois returns way more information on a query than you need for network operations. That's because the current whois was designed back in the 1970's so that ARPANET network managers could identify all the users of the network in order to help them make the business case for their budget requests to cover the cost of high-speed 56k frame relay links. There is no good reason to rate-limit a query that takes an IP address (or IP address range or CIDR block) and returns with a list of database record identifiers for the enclosing blocks. The record identifiers for organizations who directly received an allocation or assignment from ARIN would be their org-id. The other ones, SWIP records, would have some fixed database key like REASG20060000000022812536. If no REASsiGnment record exists, you now have the orgid to contact and have no need to do an additional query if they are a known organization. If the REASiGnment records do exist, you can look them up in your own database to see if they are a re-offender. And if you really need to, then you can do a RATE-LIMITED lookup of contact info. One type of query is justifiably rate limited to prevent DB scraping by spammers et al. The other type is not, however it does not currently exist because the RIR whois directory was not created for network operations support nor is it designed to do this job. You can hack together all kinds of mashups that sort of work if you squint the right way, but the bottom-line is that whois does not do the job that many network operators think it does or would like it to do.
Because This Is Not My Problem. If by chance someone benign has chosen to locate their operation in known-hostile, known-negligently-operated network space, then their failure to perform due diligence may have consequences for them.
It would be interesting if you, and other like-minded hard-nosed network admins would get together and write a requirements document for a whois type directory lookup that would actually support you in what you are trying to do while minimizing collateral damage. The only caveat is that it must be legal to implement in the USA, i.e. you will never get GPS coordinates and a photo of the registrant in such a system. In my opinion, the purpose and scope of such a directory is to provide contact info for people who are ready, willing and able to communicate regarding network operations and interconnect issues and who are able to act on that communication. All contact info should be verified with the contactee who must EXPLICITLY agree to have the info published. All contact info will be verified periodically (maybe every 4 months?) by out-of band means, i.e. the directory operator will keep track of individual email addresses and phone numbers for role account managers. If such a directory did exist, then it would be smaller than whois. You would get many more failures on a quick query which is a good thing. It means that the network operator did not make it a contractual requirement for their customer to maintain an up-to-date network contact. In that case, the network operator is not just morally responsible for abuse, they are contractually responsible. Or maybe you could come up with something better?
1. Gratuitously labeling carefully-considered measures as random is not a route to productive conversation.
Agreed. I think a lot of the problem stems from assumptions. People make a lot of assumptions on what whois does based on the net folklore that was handed down to them when they "joined" the Internet. Few people seem to question such folklore and few people notice that not everybody shares the same understanding. However, it is a lot easier for people to notice that your carefully-considered measures look like a lot like a crude weapon that causes lots of collateral damage. They feel that you could do better and attack you rather than attacking their own assumptions which are the real root of the problem. If you had better data to work with, then your carefully-considered measures would evolve to appear highly sophisticated wisdom, and would also cause little collateral damage. --Michael Dillon
On Tue, Apr 10, 2007 at 03:11:31PM +0100, michael.dillon@bt.com wrote: ...
Yes there are. The current whois returns way more information on a query than you need for network operations. That's because the current whois was designed back in the 1970's so that ARPANET network managers could identify all the users of the network in order to help them make the business case for their budget requests to cover the cost of high-speed 56k frame relay links.
Mike, that's twice in two days that you've made that assertion. I don't remember any financial administrator in those days that would have accepted WHOIS output as justification for anything. I do remember, however, that those "high-speed" 9600 baud and 56Kb links were point-to- point and went down a lot. And so what I remember the WHOIS entries being used for was: ...
In my opinion, the purpose and scope of such a directory is to provide contact info for people who are ready, willing and able to communicate regarding network operations and interconnect issues and who are able to act on that communication. All contact info should be verified with the contactee who must EXPLICITLY agree to have the info published. All contact info will be verified periodically (maybe every 4 months?) by out-of band means, i.e. the directory operator will keep track of individual email addresses and phone numbers for role account managers. ...
so that we could contact the person at the other end who was responsible for and knowledgable of their side of the network connection, to fix it. At o-dark-thirty, if necessary. Unfortunately, the way WHOIS is maintained these days, this can no longer be trusted. Note: at the time, I was a bit younger and did not often encounter financial managers, so it's possible some might have accepted WHOIS output. But most people thought computers were some weird thing out THERE [point in random direction], and would sooner have accepted a hand-written note than one printed on a TTY33 or chain printer. -- Joe Yao Analex Contractor
participants (7)
-
Chris Owen -
Frank Bulk -
Joseph S D Yao -
michael.dillon@bt.com -
Paul Vixie -
Rich Kulawiec -
Stephen Satchell