Re: Abuse procedures... Reality Checks
: if someone cannot get out somewhere, they're obviously : going to get in touch with me as to why. Once this is : done, it is explained : I've always contacted someone : after about 3 attempts at getting someone to assess : their network I know from experience this doesn't scale into the hundreds of thousands of customers and can only imagine the big ass eyeball network's scalability issues... scott --- sil@infiltrated.net wrote: From: "J. Oquendo" <sil@infiltrated.net> To: nanog@merit.edu Cc: Warren Kumari <warren@kumari.net> Subject: Re: Abuse procedures... Reality Checks Date: Wed, 11 Apr 2007 13:49:40 -0400 Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed?
You confused two things. 1) I do my best to stop malicious traffic from leaving my network. With this said, if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained to them that either their machine, or a machine on their network was doing something fuzzy therefore they were blocked. Most are actually thankful that it was pointed out to them as opposed to having to wait for Security Company X to update its virus/spamware definitions. 2) I do not block getting TO company X at first signs of garbage coming into my network from them. I've always contacted someone to some degree so don't misconstrue my actions as "I block the first packets I see." On the contrary I only block CIDR's after about 3 attempts at getting someone to assess their network. After that, I begin with services. This is my network so this is how it pans out... Spam? A CIDR to my email ports are blocked. SSH brute forcing, etc., those ports are blocked. Network who's blocked on ports continues, everything is then blocked.
Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a "big, fat, doodoo head" you would probably be less receptive than if I didn't...
What does being polite and "matter of factly" have to do with administrators cleaning up their networks? Should I beg an administrator of some network to be polite and not refer me to their generic abuse desk who'll do nothing about the issue? I actually am a little too polite in the fact that 1) I'm doing network operators a favor pointing them out to rogue hosts on THEIR networks not mines. If they want to continue hosting said rogue idiots, their problem. I won't be allowing it into my range. If you knew me personally, or have dealt with me, I can guarantee you within minutes of you contacting me for something I would be on it. I as an admin/engineer whatever you want to call me would want to make sure that nothing internal to me is affecting anyone else since it is likely to make things more difficult for me if left unchecked. So on issues of politeness, I am being polite contacting people. I'm being double polite posting evil doing networks on my personal site so others can be aware that "These networks are infected. Here are there hosts if you want to block them." I do this on my own spare time, my own expense, and my own filtering of the denials of service that ensue when some botnet reject sees me post a percentage of his botnet. So please don't my messages as anything other than "Hey... When is someone going to deal with this?" frustration targeted at those with the power to do actually something about it instead of waiting for someone else to take the first move. Analogy: You live in a house and sweep your property. Your neighbors don't. Would you stop sweeping your house? Would you keep your house dirty simply because the majority around you do? I'm sure if you convinced the most visible neighbor to make a change, the others would follow suit. Heck in some areas those neighbors who didn't comply would face fines after some point. Why not bring this chain of thought to a network you maintain/manage. As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow. If some can't follow normal standards set by governmental bodies (for lack of better terms), what makes you think someone would say "Gee... That Oquendo sure wrote a nice document... Let me follow it" How about following standards and using good old fashioned common sense. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
On Apr 11, 2007, at 2:53 PM, Scott Weeks wrote:
: if someone cannot get out somewhere, they're obviously : going to get in touch with me as to why. Once this is : done, it is explained
: I've always contacted someone
: after about 3 attempts at getting someone to assess : their network
I know from experience this doesn't scale into the hundreds of thousands of customers and can only imagine the big ass eyeball network's scalability issues...
scott
Hear hear... Scaling process and procedures is often as hard or harder than scaling technical things... Unfortunately, the lesson that scaling either is hard is only really something that one can learn through experience -- I know that I for one used to believe (as I would bet did most of us) that you could scale just by buying a bigger X, where X could be a router, circuit, etc. If that didn't work you could always just buy another X (or a bunch more Xs) -- this strategy works up to a point, after which it all goes pear-shaped. Until you have experienced this firsthand it is hard to truly understand. The same thing happens with things like abuse -- it is easy to deal with abuse on a small scale. It is somewhat harder on a medium scale and harder still on a large scale -- the progression from small to medium to large is close to linear. At some point though the difficulty suddenly hockey-sticks and becomes distinctly non-trivial -- this doesn't mean that it is impossible, nor that you should give up, but rather that a different approach is needed. Understanding this is harder than understanding why you cannot grow your network just by buying more X. W
--- sil@infiltrated.net wrote:
From: "J. Oquendo" <sil@infiltrated.net> To: nanog@merit.edu Cc: Warren Kumari <warren@kumari.net> Subject: Re: Abuse procedures... Reality Checks Date: Wed, 11 Apr 2007 13:49:40 -0400
Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed?
You confused two things.
1) I do my best to stop malicious traffic from leaving my network. With this said, if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained to them that either their machine, or a machine on their network was doing something fuzzy therefore they were blocked. Most are actually thankful that it was pointed out to them as opposed to having to wait for Security Company X to update its virus/spamware definitions.
2) I do not block getting TO company X at first signs of garbage coming into my network from them. I've always contacted someone to some degree so don't misconstrue my actions as "I block the first packets I see." On the contrary I only block CIDR's after about 3 attempts at getting someone to assess their network. After that, I begin with services. This is my network so this is how it pans out... Spam? A CIDR to my email ports are blocked. SSH brute forcing, etc., those ports are blocked. Network who's blocked on ports continues, everything is then blocked.
Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a "big, fat, doodoo head" you would probably be less receptive than if I didn't...
What does being polite and "matter of factly" have to do with administrators cleaning up their networks? Should I beg an administrator of some network to be polite and not refer me to their generic abuse desk who'll do nothing about the issue?
I actually am a little too polite in the fact that 1) I'm doing network operators a favor pointing them out to rogue hosts on THEIR networks not mines. If they want to continue hosting said rogue idiots, their problem. I won't be allowing it into my range. If you knew me personally, or have dealt with me, I can guarantee you within minutes of you contacting me for something I would be on it. I as an admin/engineer whatever you want to call me would want to make sure that nothing internal to me is affecting anyone else since it is likely to make things more difficult for me if left unchecked.
So on issues of politeness, I am being polite contacting people. I'm being double polite posting evil doing networks on my personal site so others can be aware that "These networks are infected. Here are there hosts if you want to block them." I do this on my own spare time, my own expense, and my own filtering of the denials of service that ensue when some botnet reject sees me post a percentage of his botnet. So please don't my messages as anything other than "Hey... When is someone going to deal with this?" frustration targeted at those with the power to do actually something about it instead of waiting for someone else to take the first move.
Analogy: You live in a house and sweep your property. Your neighbors don't. Would you stop sweeping your house? Would you keep your house dirty simply because the majority around you do? I'm sure if you convinced the most visible neighbor to make a change, the others would follow suit. Heck in some areas those neighbors who didn't comply would face fines after some point. Why not bring this chain of thought to a network you maintain/manage.
As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow. If some can't follow normal standards set by governmental bodies (for lack of better terms), what makes you think someone would say "Gee... That Oquendo sure wrote a nice document... Let me follow it" How about following standards and using good old fashioned common sense.
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams
-- After you'd known Christine for any length of time, you found yourself fighting a desire to look into her ear to see if you could spot daylight coming the other way. -- (Terry Pratchett, Maskerade)t
On Wed, Apr 11, 2007 at 03:44:01PM -0400, Warren Kumari wrote:
The same thing happens with things like abuse -- it is easy to deal with abuse on a small scale. It is somewhat harder on a medium scale and harder still on a large scale -- the progression from small to medium to large is close to linear.
First, I don't buy this. I think dealing with abuse is *much* easier for large operations than small. But suppose you're right. Let me concede that point for the purpose of making my second point (and generic "you" throughout, BTW): Second, I don't really care how hard it is. It's YOUR network, YOU built it, YOU plugged it into our Internet: therefore, however hard it is, it's YOUR problem. Fix it. Or if you choose not to: at least stop whining about how much you don't like the way in which other people try to partially compensate for YOUR failure. ---Rsk
I know from experience this doesn't scale into the hundreds of thousands of customers and can only imagine the big ass eyeball network's scalability issues...
Hear hear...
Scaling process and procedures is often as hard or harder than scaling technical things...
It's true. But the big networks hire people who understand scaling issues and know how to make things work. It's not up to us to solve their scaling problem. If you can define a mechanism that will work on smaller networks to achieve a goal, and if that goal is worthwhile achieving, the the big networks will get their scalability networks to scale it up. There is a similar problem in chemicals where researchers create new compounds in the laboratory and then hand the details over to scaling experts who know how to change the process to work on the scale of a factory. And it's not unusual to see chemical factories that are acres in size.
The same thing happens with things like abuse -- it is easy to deal with abuse on a small scale. It is somewhat harder on a medium scale and harder still on a large scale -- the progression from small to medium to large is close to linear. At some point though the difficulty suddenly hockey-sticks and becomes distinctly non-trivial -- this doesn't mean that it is impossible, nor that you should give up, but rather that a different approach is needed. Understanding this is harder than understanding why you cannot grow your network just by buying more X.
Yes this is true. But the people who find different approaches need to see how the smaller networks solve a problem. Their skill is not in finding solutions to abuse, but in figuring out how to restructure an abuse solution to work on a huge scale. --Michael Dillon
participants (4)
-
michael.dillon@bt.com
-
Rich Kulawiec
-
Scott Weeks
-
Warren Kumari