RE: Abuse procedures... Reality Checks
I have to disagree. SWIP is not meaningless. In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means. And I talk with plenty of other companies that fall into the same boat. In short I find this one comment below to be argumentive and full of conjecture. Regards Marla Azinger Frontier Communications -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of michael.dillon@bt.com Sent: Monday, April 09, 2007 1:39 PM To: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs.
How do you tell when they have actually done "due diligence". Existence of a SWIP record is essentially meaningless in this day and age. Many people do them automatically and there may well be nobody left on staff who knows that this is happening or what it all means. --Michael Dillon
On Mon, 09 Apr 2007 17:11:28 EDT, "Azinger, Marla" said:
In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means.
Just because *your* site has enough clue to get it right doesn't mean that the *average* site has enough clue to get it right. In fact, I'll go out on a limb and posit that *in the cases I care about*, it's even *less* likely that the SWIP is correct, because the same general attitude of cluelessness that made them unable to police their users and enforce their AUP (resulting in malicious packets arriving at my network) will also tend to mean they didn't get the SWIP right. So to sum up: The sites that *do* SWIP right are more likely to deal with their user before I hear about it, causing me to *check* the whois. Meanwhile, the sites that cluelessly allow malicious traffic also often don't SWIP right - and that results in me contemplating the smallest range I *do* see in the whois data. They didn't SWIP it so I could find the offending /26, that's tough noogies for the rest of their /18. Now where did I leave my Nomex jumpsuit? :)
I have to disagree. SWIP is not meaningless.
In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means.
And I talk with plenty of other companies that fall into the same boat.
In short I find this one comment below to be argumentive and full of conjecture.
No more argumentative and full of conjecture than your posting. I said that there were SOME companies where SWIP is just a mysterious automated process and nobody on staff fully understands the meaning of it, beyond the fact that it needs to be done to help get approval for that next allocation request. The fact that SOME companies do have a process for managing SWIP as they understand it, does not mean that there are no delinquents. I also find it curious that you claim to have people on staff at your company who know what SWIP means. Perhaps you could ask them to share that information with us since I have never seen this documented anywhere. Do they really know what you claim they know? --Michael Dillon
On Tue, Apr 10, 2007 at 10:30:32AM +0100, michael.dillon@bt.com wrote: ...
I also find it curious that you claim to have people on staff at your company who know what SWIP means. Perhaps you could ask them to share that information with us since I have never seen this documented anywhere. Do they really know what you claim they know? ...
http://www.swip.com/: Scottish Widows Investment Partnership http://www.uh.edu/~cfreelan/SWIP/: Society for Women in Philosophy http://www.sat-tel.com/Swip.html: Shared WHOIS Project http://www.swip.net/: The Swedish IP Network Note that there are far more entries for chapters of SWIP #2 than for any others. But one may assume that you refer to SWIP #3. Definitions on the Web found by Google do vary slightly. The referenced InterNIC policy appears to no longer be available on the InterNIC Web site. However, <http://www.arin.net/registration/guidelines/report_reassign.html> will do. There seem to have been more proposals on how to produce a better WHOIS then one can assume in a reasonable amount of time. ;-] -- Joe Yao Analex Contractor
michael.dillon@bt.com wrote:
I also find it curious that you claim to have people on staff at your company who know what SWIP means. Perhaps you could ask them to share that information with us since I have never seen this documented anywhere. Do they really know what you claim they know?
--Michael Dillon
Google is your friend. http://www.arin.net/registration/guidelines/report_reassign.html Shared WHOIS Project (SWIP) "SWIP is a process used by organizations to submit information about downstream customer's address space reassignments to ARIN for inclusion in the WHOIS database. Its goal is to ensure the effective and efficient maintenance of records for IP address space. "SWIP is intended to: * Provide information to identify the organizations utilizing each subdelegated IP address block. * Provide registration information for each IP address block. * Track utilization of allocated IP address blocks to determine if additional allocations may be justified. "For IPv4, organizations can use the Reassign-Simple, Reassign-Detailed, Reallocate, and Network-Modification templates to report SWIP information. "Organizations reporting IPv6 reassignment information can use the IPv6 Reassign, IPv6 Reallocate, and IPv6 Modify templates. "Organizations may only submit reassignment data for records within their allocated blocks. ARIN reserves the right to make changes to these records upon the organization's approval. Up to 10 templates may be submitted as part of a single e-mail." SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server. Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it. Which numbering authority do you work with day to day?
Stephen Satchell wrote:
SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server.
Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it.
Being I work at a US network operator and others who've been attacking my hosts come from US network operators, who can I complain to when some of the bigger fish not complying with these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network. If some of these companies can't follow the rules, then I see no need for me to discontinue "punishing" allocations on their CIDRs whenever my network is attacked since it seems to be the only method I found to 1) protect my networks and clients and 2) to get someone's attention.
Which numbering authority do you work with day to day?
Me? I work for an authority that many bigger provider should be following its guidelines and setting examples for smaller network operators. I shouldn't have to do the work for some of these bigger operators. I shouldn't have to send emails making them aware that 40 hosts on their /24 are sending out malicious traffic. Maybe ARIN staff should start re-writing policies and implementing out punishments. Guarantee you if operators were penalized for not following rules, for allowing filth to leave their networks, I bet you many maladies on the net would be cut substantially. Not going to be a popular stance to most of the bigger fish, but lets get real here, looking at normal everyday life, if a country were shipping rotten products, don't you think those in government would call for measures to halt these products else no business would occur with said country. Why not re-write policies to do the same with networks. I will always point to dampening/flapping on BGP as a baseline... Company X violates, null route them for a second or two until they comply. They still don't listen double the penalty and null route them twice the amount. Once their pockets start hurting, they'll get a clue. And if their engineers still don't get it, then management of that company would be fools to keep their lazy asses around. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
Maybe ARIN staff should start re-writing policies and implementing out punishments. Guarantee you if operators were penalized for not following rules, for allowing filth to leave their networks, I bet you many maladies on the net would be cut substantially.
Sorry, that's not their job. That is *YOUR* job! http://lists.arin.net/mailman/listinfo/ppml Join the list and propose the new policy. And ARIN will never mete out punishments or act as a police force in any way because that is not in ARIN's charter. However, it could operate a whois directory that meets the needs of network operators fighting abuse, if said network operators would get off their butts, agree on a policy describing such a whois directory, and propose it to ARIN. It's like a lot of those people who complain about the Bush administration. If you asked them whether they voted Democrat in the last election, they often say no, they didn't vote at all. Well, you not only get what you vote for, but you also get what you don't vote against. Network operators who don't participate in ARIN policy development don't deserve to complain about anything ARIN-related. --Michael Dillon
On Wed, 11 Apr 2007 07:07:19 EDT, "J. Oquendo" said:
these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network.
And I want a pony. We don't even do a (near) universal job of filtering rfc1918 addresses and spoofed addresses. We aren't filtering obvious bogon packets, how do you propose we filter less obvious malicious traffic (is that SYN packet legit, or part of a DDOS, or just a slashdotting of a suddenly popular site?).
Valdis.Kletnieks@vt.edu wrote:
* PGP Signed by an unverified key: 04/11/07 at 11:21:15
On Wed, 11 Apr 2007 07:07:19 EDT, "J. Oquendo" said:
these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network.
And I want a pony.
We don't even do a (near) universal job of filtering rfc1918 addresses and spoofed addresses. We aren't filtering obvious bogon packets, how do you propose we filter less obvious malicious traffic (is that SYN packet legit, or part of a DDOS, or just a slashdotting of a suddenly popular site?).
* Valdis Kletnieks <valdis.kletnieks@vt.edu> * 0xB4D3D7B0 - Unverified
When you say we, speak for yourself and your own networks. There ARE some people who do take the time to properly design their networks. It is the same "Well since Billy didn't do it neither will I" attitude that makes me never think twice about blocking CIDR's. Since 'THEY' (your "WE") didn't properly configure their network, why should I think twice about letting it into my backyard. I guess its calling for too much for network operators to actually do their work though and I guess considering IPv6 is like how many years away now, I can expect that much of a wait for people to implement what should have been done from the onset. I don't care how filtering gets done from someone else. Like I said if I can watch and control what comes out of my networks using raw tools on nix machines, you cannot with a straight face/typing method tell me that someone at one of these big providers can't clue themselves in to getting malicious traffic controlled. Should someone want to comment about "oh golly the cost is outrageous" I say bs... Its utter laziness from my eyes. So here I go politely pointing it out... If I can do it with a couple of thousand machines on my VERY OWN, not a "team", not a "department" but me, in a matter of minutes, situate my network to not send out crap, then why can't these companies? I'd like to here something logical, not someone's opinion. Something like "According to ARIN/IEEE specifications of foobarfoo, operators are not allowed to view traffic entering or leaving their networks" which hinders this. There is no reason I could think of, no scenario I could imagine, that would prohibit network operators from putting the nail in the coffin with stuff LEAVING THEIR NETS. Note the word LEAVING now. If it doesn't leave, you wouldn't have complaints from some other operator now would you. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
On Apr 11, 2007, at 11:28 AM, J. Oquendo wrote:
Valdis.Kletnieks@vt.edu wrote:
* PGP Signed by an unverified key: 04/11/07 at 11:21:15
On Wed, 11 Apr 2007 07:07:19 EDT, "J. Oquendo" said:
these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network.
And I want a pony.
We don't even do a (near) universal job of filtering rfc1918 addresses and spoofed addresses. We aren't filtering obvious bogon packets, how do you propose we filter less obvious malicious traffic (is that SYN packet legit, or part of a DDOS, or just a slashdotting of a suddenly popular site?).
* Valdis Kletnieks <valdis.kletnieks@vt.edu> * 0xB4D3D7B0 - Unverified
When you say we, speak for yourself and your own networks. There ARE some people who do take the time to properly design their networks.
And I would suggest that Valdis is one of them.... From my reading of his message I understood that: A: Some people filter bad stuff. B: Some people don't. I don't think that it is unreasonable that he used "we " to include all network engineers -- "we" as a community does include A and B
It is the same "Well since Billy didn't do it neither will I" attitude that makes me never think twice about blocking CIDR's.
So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed?
Since 'THEY' (your "WE") didn't properly configure their network, why should I think twice about letting it into my backyard. I guess its calling for too much for network operators to actually do their work though
Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a "big, fat, doodoo head" you would probably be less receptive than if I didn't...
and I guess considering IPv6 is like how many years away now, I can expect that much of a wait for people to implement what should have been done from the onset.
I don't care how filtering gets done from someone else. Like I said if I can watch and control what comes out of my networks using raw tools on nix machines, you cannot with a straight face/typing method tell me that someone at one of these big providers can't clue themselves in to getting malicious traffic controlled.
Should someone want to comment about "oh golly the cost is outrageous" I say bs... Its utter laziness from my eyes. So here I go politely pointing it out... If I can do it with a couple of thousand machines on my VERY OWN, not a "team", not a "department" but me, in a matter of minutes, situate my network to not send out crap, then why can't these companies?
Yes, it is great that you are doing your bit to help keep the net clean. Congratulations and thank you. Perhaps you could write a nice, simple, friendly guide explaining how you ensure that your network is never the source of malicious traffic? And how this can be scaled up to work in a large, backbone network where? Perhaps you could politely contact those who are not doing their bit and, in a helpful manner explain how they could improve -- educating and encouraging change in those who are not doing their bit is much more likely to make things better than screaming "You suck, I'm not going to accept your packets, nah nah nah."
I'd like to here something logical, not someone's opinion. Something like "According to ARIN/IEEE specifications of foobarfoo, operators are not allowed to view traffic entering or leaving their networks" which hinders this. There is no reason I could think of, no scenario I could imagine, that would prohibit network operators from putting the nail in the coffin with stuff LEAVING THEIR NETS.
Note the word LEAVING now. If it doesn't leave, you wouldn't have complaints from some other operator now would you.
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
I suspect that I should have just stayed out of this thread.... W -- "Go on, prove me wrong. Destroy the fabric of the universe. See if I care." -- Terry Prachett
Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed?
You confused two things. 1) I do my best to stop malicious traffic from leaving my network. With this said, if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained to them that either their machine, or a machine on their network was doing something fuzzy therefore they were blocked. Most are actually thankful that it was pointed out to them as opposed to having to wait for Security Company X to update its virus/spamware definitions. 2) I do not block getting TO company X at first signs of garbage coming into my network from them. I've always contacted someone to some degree so don't misconstrue my actions as "I block the first packets I see." On the contrary I only block CIDR's after about 3 attempts at getting someone to assess their network. After that, I begin with services. This is my network so this is how it pans out... Spam? A CIDR to my email ports are blocked. SSH brute forcing, etc., those ports are blocked. Network who's blocked on ports continues, everything is then blocked.
Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a "big, fat, doodoo head" you would probably be less receptive than if I didn't...
What does being polite and "matter of factly" have to do with administrators cleaning up their networks? Should I beg an administrator of some network to be polite and not refer me to their generic abuse desk who'll do nothing about the issue? I actually am a little too polite in the fact that 1) I'm doing network operators a favor pointing them out to rogue hosts on THEIR networks not mines. If they want to continue hosting said rogue idiots, their problem. I won't be allowing it into my range. If you knew me personally, or have dealt with me, I can guarantee you within minutes of you contacting me for something I would be on it. I as an admin/engineer whatever you want to call me would want to make sure that nothing internal to me is affecting anyone else since it is likely to make things more difficult for me if left unchecked. So on issues of politeness, I am being polite contacting people. I'm being double polite posting evil doing networks on my personal site so others can be aware that "These networks are infected. Here are there hosts if you want to block them." I do this on my own spare time, my own expense, and my own filtering of the denials of service that ensue when some botnet reject sees me post a percentage of his botnet. So please don't my messages as anything other than "Hey... When is someone going to deal with this?" frustration targeted at those with the power to do actually something about it instead of waiting for someone else to take the first move. Analogy: You live in a house and sweep your property. Your neighbors don't. Would you stop sweeping your house? Would you keep your house dirty simply because the majority around you do? I'm sure if you convinced the most visible neighbor to make a change, the others would follow suit. Heck in some areas those neighbors who didn't comply would face fines after some point. Why not bring this chain of thought to a network you maintain/manage. As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow. If some can't follow normal standards set by governmental bodies (for lack of better terms), what makes you think someone would say "Gee... That Oquendo sure wrote a nice document... Let me follow it" How about following standards and using good old fashioned common sense. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow.
Because you might be a better writer than those other folks. You might be able to present the right balance of technical detail and policy goals to be understood by a larger number of people. People often ask me to advise them which book they should buy to learn language X fast. X being French or Russian or German etc. I always give the same advice. Go to a good bookstore that stocks a large choice of books in your chosen language. In some cities that means the local university bookshop, in others there may even be a specialist bookshop that sells just language books. The important thing is that you go and look at several different books, compare them to one another and FIND THE ONE WHOSE AUTHOR SPEAKS TO YOU. Find the writer whose writing matches your way of thinking. Other than that, buy one dictionary that you can carry with you all day long, one beginners book, and one graded reader to start. Every 6 months, go back to this (or another) shop and look over the selection again because you may have advanced to the point where additional books/CDs will help. And always avoid beginners books which do not use the native alphabet of the language you are learning, a particular problem with Japanese. In the masses of content that is indexed by Google, we need MORE variety, not less. Please do try to write something if you can. --Michael Dillon
On Apr 11, 2007, at 10:32 AM, Warren Kumari wrote:
Perhaps you could write a nice, simple, friendly guide explaining how you ensure that your network is never the source of malicious traffic?
Identify your ownership, and ensure contact information is accurate and well attended. Inconsiderate anonymous behavior is a typical failing, where there is no excuse for remaining ignorant of abusive activity. -Doug
"SWIP is a process used by organizations to submit information about downstream customer's address space reassignments to ARIN for inclusion in the WHOIS database. Its goal is to ensure the effective and efficient maintenance of records for IP address space.
Lovely language but it ignores the existence of Rwhois and does not explain by what standard the effectiveness and efficiency is judged.
"SWIP is intended to: * Provide information to identify the organizations utilizing each subdelegated IP address block. * Provide registration information for each IP address block. * Track utilization of allocated IP address blocks to determine if additional allocations may be justified.
This clearly omits any mention of network abuse. It doesn't even directly mention that contact information is supplied or what the contact info may/should be used for. It is heavily slanted towards a bureaucratic process for counting addresses to support decision-making about applications for additional address space.
Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator,
BT is also a US network operator. And a global network operator and a global network and security consulting firm. And some other stuff too like the project to run the entire UK telephone network over IP, 21CN.
I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it.
Which numbering authority do you work with day to day?
ARIN. I have a long history with ARIN predating the existence of the organization and I was one of the founding members of the ARIN Advisory Council. I was not asking a typical dumb question here. The fact is that nobody really has a clear idea what SWIP is, why it exists, what it is for. What is the purpose and meaning of SWIP? Why is it different from RIPE or APNIC? All the answers I have ever seen boil down to "It's traditional!". And I have spent a lot of effort in trying to track down older documents to see if there was any more clarity back in the early days of SWIP and whois, but I failed to find anything other than some references to budget justifications by ealry ARPANET managers. On two occasions I tried to address this by proposing some policy language to ARIN which would define the purpose and scope of the whois directory but the members were not interested in messing with tradition. The fact is that SWIP/whois/rwhois suck badly. Different groups of people have different ideas of what these things mean and the different ideas do not match. If I ask a waitress for two eggs over-easy I do not want to receive a slice of Quiche Lorraine. But in the world of SWIP/whois/rwhois, this is what we deal with every day. Network operators have a CRYING need for a database to identify contacts for dealing with network abuse issues. They try to use the whois directory for this, but too often it fails them because the people stuffing the info into the directory are merely following tradition to make sure that the numbers come up right the next time they apply for additional IP addresses. By the way, as a holder of an ARIN netblock allocation, you are *NOT* required to do SWIP. That is just another myth propogated by the holders of tradition and net folklore. Whenever you ask "Why?" and someone says, "Because you are required to do it.", they are really telling you not to think. You pointed me to a page written by ARIN staff as justification for your views about SWIP but you somehow missed the line which said: SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server. But, I take it a step further. Why should I believe what ARIN staff have written and why should I do what they tell me to do? What is their justification for writing this page? If you look in the ARIN policies it always uses the term SWIP in the context of "efficient utilization". So why do they publish it in the whois directory? Why do people think that whois contains valid contact info? Why do people think that whois should contain contacts who are ready, willing and able to act on network abuse issues? The only reason people think these things is because it is traditonal net folklore. It was never part of the purpose and scope of SWIP/whois/Rwhois. --Michael Dillon
participants (8)
-
Azinger, Marla
-
Douglas Otis
-
J. Oquendo
-
Joseph S D Yao
-
michael.dillon@bt.com
-
Stephen Satchell
-
Valdis.Kletnieks@vt.edu
-
Warren Kumari