Why does abuse handling take so long ?
Dear nanog members, As current maintainer of DroneBL I happen to receive a lot of unwanted packets in the form of DDoS attacks, now the DDoS itself is not the real problem, dealing with it the fast way is. Now most of you would think: Just filter it, put a big firewall in front of it, bla bla bla bla. But what I'm really talking about is the ignorance most providers show when it comes to handling the abuse when it gets reported. The issue in there being, it's way too slow, and my hoster needs to temporary nullroute my ip range in order to protect his network. We both mail all the involved providers and sometimes need to wait days before hostings act upon the mail. In most cases the only thing the abuse@ contacts do as hoster, is relay the mail to the client but do not dare to do anything themself, even if you provide them with a shitload of logs, even if you call them and say that the attack from their source is still continueing, they refuse to look into it and shutdown the source. And that pisses me off badly. Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care? Kind regards, Alexander Maassen Maintainer DroneBL
On Sun, 13 Mar 2011, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
they don't act like they do not care. they really *don't* care. no acting. 1) you're not a direct customer, why should they do anything? by doing nothing it cost them nothing. 2) why should they do anything to shut down paying customers? shutting down abusive customers is shutting off revenue sources. 3) lifting a finger is too much like work. it costs the money and gains them nothing. the only way to correct this behavior is to make it more expensive for providers to retain abusive customers than it is to keep them.
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
they don't act like they do not care. they really *don't* care. no acting.
Well now, I'd say this varies considerably. There are definitely ISPs that care and *do* work hard at reducing abuse. But even so - assuming I'm an ISP that cares, - You're presenting me with evidence of abuse. OK, I don't know you. Why should I believe your evidence? At best I'm going to take it as a *hint*. - If I take your evidence as a hint, I'm going to want to correlate it with my own logs. This takes time. - I probably have customer contracts in place that specify under what circumstances I can actually take the customer off net. My tolerance of abuse may not be the same as your. Also, "due process" means that these things take time. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
On 3/13/11 7:02 AM, sthaug@nethelp.no wrote:
Well now, I'd say this varies considerably. There are definitely ISPs that care and*do* work hard at reducing abuse. But even so - assuming I'm an ISP that cares,
- You're presenting me with evidence of abuse. OK, I don't know you. Why should I believe your evidence? At best I'm going to take it as a *hint*. - If I take your evidence as a hint, I'm going to want to correlate it with my own logs. This takes time.
This also applies in reverse when your asking to get out of a DNSbl. FWIW, when you deal with me on getting out of the AHBL, how well you handle my abuse report affects how well I handle your request to be delisted. :) effort in == effort out
- I probably have customer contracts in place that specify under what circumstances I can actually take the customer off net. My tolerance of abuse may not be the same as your. Also, "due process" means that these things take time.
You aren't by chance related to Andrew Stevens? He's been going on recently about "due process" (quotes and all) to the point where certain newsgroups are flooded with socks. If not, then you have my apology :)
Steinar Haug, Nethelp consulting,sthaug@nethelp.no
-- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On Sun, 13 Mar 2011 05:39:02 -0700 (PDT) goemon@anime.net wrote:
On Sun, 13 Mar 2011, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
they don't act like they do not care. they really *don't* care. no acting.
well, they should care. if a customer is compromised and ddosing, it costs the provider money (additional traffic being pushed bringing your 95% closer to your commit levels or possibly causing an overage to be incurred.) by doing nothing it may wind up costing them something - even if they can make the money back by passing the overage onto the customer, there is a high likelyhood that the customer will just jump ship and not pay the invoice and go elsewhere. william
On 3/13/11 7:41 AM, William Pitcock wrote:
well, they should care. if a customer is compromised and ddosing, it costs the provider money (additional traffic being pushed bringing your 95% closer to your commit levels or possibly causing an overage to be incurred.)
by doing nothing it may wind up costing them something - even if they can make the money back by passing the overage onto the customer, there is a high likelyhood that the customer will just jump ship and not pay the invoice and go elsewhere.
william
In the case of a DoS, a call to the legal dept of the ISP might do the trick. One successful lawsuit against a provider for knowingly allowing their customers to DoS/DDoS would certainly change alot of attitudes about the value of an abuse desk. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org
On 3/13/2011 8:39 AM, goemon@anime.net wrote:
On Sun, 13 Mar 2011, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
they don't act like they do not care. they really *don't* care. no acting.
1) you're not a direct customer, why should they do anything? by doing nothing it cost them nothing. 2) why should they do anything to shut down paying customers? shutting down abusive customers is shutting off revenue sources. 3) lifting a finger is too much like work. it costs the money and gains them nothing.
the only way to correct this behavior is to make it more expensive for providers to retain abusive customers than it is to keep them.
Is it time for another "notion of self-defense" in responding to/retaliating against a DDoS attack of sufficient strength to hold down a large network, or resource? Andrew
On 3/13/11 8:36 AM, Andrew Kirch wrote:
On 3/13/2011 8:39 AM, goemon@anime.net wrote:
On Sun, 13 Mar 2011, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
they don't act like they do not care. they really *don't* care. no acting.
1) you're not a direct customer, why should they do anything? by doing nothing it cost them nothing. 2) why should they do anything to shut down paying customers? shutting down abusive customers is shutting off revenue sources. 3) lifting a finger is too much like work. it costs the money and gains them nothing.
the only way to correct this behavior is to make it more expensive for providers to retain abusive customers than it is to keep them.
Is it time for another "notion of self-defense" in responding to/retaliating against a DDoS attack of sufficient strength to hold down a large network, or resource?
Because there just aren't enough internet vigilantes already...
Andrew
On 3/13/2011 1:24 PM, Joel Jaeggli wrote:
On 3/13/11 8:36 AM, Andrew Kirch wrote:=
Is it time for another "notion of self-defense" in responding to/retaliating against a DDoS attack of sufficient strength to hold down a large network, or resource? Because there just aren't enough internet vigilantes already...
The problem does seem to persist. 10 years later and DDoS, it's mitigation, and asleep at the switch abuse departments are still a problem.
* Alexander Maassen:
In most cases the only thing the abuse@ contacts do as hoster, is relay the mail to the client but do not dare to do anything themself, even if you provide them with a shitload of logs, even if you call them and say that the attack from their source is still continueing, they refuse to look into it and shutdown the source. And that pisses me off badly.
There is a relatively nice way of putting this. If you can't contact the customer and don't know what they are doing, it is difficult to estimate the risk from terminating the customer's connectivity. Therefore, giving them some time to react---4 business hours or perhaps even a business day---seems reasonable, and this can be a very long time span for many types of network abuse, especially when time zones are taken into account.
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
The less nice way is that many hosters attract customers who don't care if they are compromised. These customers do not perceive abuse notifications as valuable, so the hoster gains nothing from forwarding them: the abuse won't stop, and the customer is likely less happy than before.
On Sun, Mar 13, 2011 at 7:45 AM, Alexander Maassen <outsider@scarynet.org> wrote:
In most cases the only thing the abuse@ contacts do as hoster, is relay the mail to the client but do not dare to do anything themself, even if
The RIPE IRR database contains a systemic means for operators, responsible for IP address blocks, to exchange PGP-signed messages amongst each-other in relation to security incidents. It unfortunately does not see much use: under 1% of allocations in RIPE's database include any reference to one of only 235 "incident response teams," which are conceptually similar to a POC. Other things have been tried but haven't reached "critical mass" also, such as dial-by-ASN VOIP connectivity. The real problem with handling serious network abuse is it's pretty hard to get through the "bozo filter" and actually reach anyone who might understand your request or complaint (DDoS), let alone have the power to act. The anti-spam folks have honestly made this problem far, far worse, by slamming every role mailbox they can find for every network operator, regardless of whether or not a specific mailbox for email-related abuse exists or how good (or bad) a network may be at keeping spam off its network. I hope this remark doesn't steer the thread far off-topic, but I wish the anti-spam folks would realize how counter-productive it is to intentionally send the same complaints to a multitude of different abuse mailboxes. For this reason, it really is necessary to have an automatic filtering mechanism in place just to make sure the network abuse people don't have to sift through messages which are mostly related to email abuse. If operators would decide to use a system like IRT, supported in RIPE IRR, then we would not only be able to filter out a lot of the B.S., we would also know that signed messages complaining of DDoS coming in were actually from the security folks at the complaining organization, people who have authority to make requests on behalf of the org that "owns" related netblocks. This pretty much eliminates the "why should I believe your evidence?" argument, because we shouldn't have to believe anyone's evidence to at least block traffic towards the netblocks they operate. For example: if I am an end-user with address 192.0.2.80 and my web site is being subject to DDoS which I believe is originating from 203.0.113.66, I would contact my ISP, who registers themselves as the IRT for 192.0.2.0/24. My ISP would probably do a sanity check on my claim, examine their netflow, etc. and then agree that 203.0.113.66 is a source of the DDoS. They'd see that an IRT is registered for 203.0.113.0/24 and send over a PGP-signed message to the counter-party IRT. That IRT would verify the PGP signature and association with the target of the DoS, 192.0.2.80, and at that point, they would have absolutely zero excuse for not immediately dropping all traffic from 203.0.113.66 towards me at 192.0.2.80. It doesn't matter if there are any logs or "evidence," it matters that the proven security/abuse contact for 192.0.2.0/24 requested that the counter-party stop sending traffic to 192.0.2.0/24. Whether or not the ISP for 203.0.113.66 decides to investigate any further is up to them; maybe they log some traffic, find a compromised host, and shut it down. Maybe they really don't care. Now that you know people are capable of doing all that based on data in RIPE's trusted IRR database, you may also realize that this process could be streamlined to any point between "human reads email, checks relationships, and configures network" all the way to "script reads email, checks relationships, and configures network." Implementing this could save NOCs time (if they really cared about outgoing DDoS from their networks) and improve response to network abuse. So ultimately, there is already a good framework in place to substantially "fix" this problem. No one uses it. That is unlikely to change until there is an economic incentive, such as a lawsuit by someone targeted by DoS which can be proven to be originated from a negligent network, causing calculable damages. Until some network has to pay out a million bucks because they sat on their hands, I don't see anything changing. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts
* Jeff Wheeler:
On Sun, Mar 13, 2011 at 7:45 AM, Alexander Maassen <outsider@scarynet.org> wrote:
In most cases the only thing the abuse@ contacts do as hoster, is relay the mail to the client but do not dare to do anything themself, even if
The RIPE IRR database contains a systemic means for operators, responsible for IP address blocks, to exchange PGP-signed messages amongst each-other in relation to security incidents. It unfortunately does not see much use: under 1% of allocations in RIPE's database include any reference to one of only 235 "incident response teams," which are conceptually similar to a POC.
Not that the IRTs are often not the party you want to talk to anyway. They don't run the box, and in many cases, they don't even run the network, so they can put in filters (even if they wanted). In many cases, the IRT object routes complaints *away* from the party who is capable of taking action.
On Sun, Mar 13, 2011 at 5:33 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
Not that the IRTs are often not the party you want to talk to anyway.
This is why my post highlights the underlying mechanism/system. It can and should be used to streamline DDoS mitigation. It is unfortunately not in practical use, since the cost of ignoring DoS originating from one's network is generally low or zero. -- Jeff S Wheeler <jsw@inconcepts.biz> Sr Network Operator / Innovative Network Concepts
On Sun, 13 Mar 2011, Jeff Wheeler wrote:
So ultimately, there is already a good framework in place to substantially "fix" this problem. No one uses it. That is unlikely to change until there is an economic incentive, such as a lawsuit by someone targeted by DoS which can be proven to be originated from a negligent network, causing calculable damages. Until some network has to pay out a million bucks because they sat on their hands, I don't see anything changing.
Exactly. Make this a question of economics and the problem will solve itself. It has to become more expensive to ignore abuse than it is to deal with it. Until that changes, the abuse will continue.
On 3/13/11 7:45 AM, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
Because network operators rarely get together and turn off routing to abusive hosting. On the few occasions that has happened, it took years of consensus building. So, part of the problem is *your* upstream. Why didn't your upstream actively remove the entire abusive netblock? Why didn't your upstream contact other providers with your evidence, and together remove the abusive network from the global routing tables? As we get more experience with global "cyberwar", we're going to need faster response mechanisms. What will we do as some major government coordinates an attack on another? What will we do as some major North American government coordinates an attack on another region or facility?
On 13-3-2011 18:31, William Allen Simpson wrote:
On 3/13/11 7:45 AM, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
So, part of the problem is *your* upstream. Why didn't your upstream actively remove the entire abusive netblock? Why didn't your upstream contact other providers with your evidence, and together remove the abusive network from the global routing tables?
My hoster did mail, his upstream is EGI, however, EGI does not want to block/filter since it would pollute their routers they say. I asked through my hoster if they would be willing to place a simple UDP filter, blocking all of it. They refuse.
On Sun, 13 Mar 2011, Alexander Maassen wrote:
On 13-3-2011 18:31, William Allen Simpson wrote:
On 3/13/11 7:45 AM, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care? So, part of the problem is *your* upstream. Why didn't your upstream actively remove the entire abusive netblock? Why didn't your upstream contact other providers with your evidence, and together remove the abusive network from the global routing tables? My hoster did mail, his upstream is EGI, however, EGI does not want to block/filter since it would pollute their routers they say. I asked through my hoster if they would be willing to place a simple UDP filter, blocking all of it. They refuse.
again make it a question of economics. vote with your wallet, vote with your feet. if they won't block, leave.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/13/2011 05:34 PM, goemon@anime.net wrote:
On Sun, 13 Mar 2011, Alexander Maassen wrote:
On 13-3-2011 18:31, William Allen Simpson wrote:
On 3/13/11 7:45 AM, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care? So, part of the problem is *your* upstream. Why didn't your upstream actively remove the entire abusive netblock? Why didn't your upstream contact other providers with your evidence, and together remove the abusive network from the global routing tables? My hoster did mail, his upstream is EGI, however, EGI does not want to block/filter since it would pollute their routers they say. I asked through my hoster if they would be willing to place a simple UDP filter, blocking all of it. They refuse.
again make it a question of economics.
vote with your wallet, vote with your feet.
if they won't block, leave.
leaving is not always as easy as you imply. There are some areas with only one real provider. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJNfUvcAAoJEPXCUD/44PWqje8QALqCB5SmUamIvItQSsJZ+B0t bKSDxmUszgAkFMxc9y7n1TuymOKx2lsCQmO8aQmE95NXOUloH1R89aA51DMaxxsX vt9GspDi2zuzoGngMUhl7Xuho5lxekg0nw8zEqa14MdZK/iMQw1e9D+pfl2GF43X 4KyFBqL85DrpnJhaNpQ3BB/EsM4+hMxxZYm5CAqZYKa2ywuR9LGVjQ5i0zoqc3e9 wFUAk2C/0ATf+eUhBaw6OHtpj7E2JgGfkP8K8npr27U9WVMpjBjd1ERZVy7FZ+7n rEVj+bUrW57VVvdv1UzE4rHa49Y0YXALnq05rGxuE0iCkIcth8pDI5YVYwTwsvDx gZR5H0Kmm9bQvOpvUR8TmW7BXlamVOHC1beCYHhI6Oig1bTx1DfCP+CniMnz5l3o G+sweZA589nJxonawl5qGhySCBg6a9Z4gtoYRaFsTVe8sI59JtzsbyvjdVvUwSkR UOPdPpHUuG72i3dB+/bdTKWDeGjghn6oTheVY/03oYvOLAg+8zZPupb3Ql9FARnw qb2Qc5ebzEG6wuaXlC/iHzTuc4DHp4rWvwm9tE1sQ379ntZJiKpfm0eMcdeo+xJ9 RxDg5fksOaihhM8MVRi4recdHyySzHZw9JPrx1VfhPWv3umPYt/csT0/L/EeyAJu Ybo7ahfzII26suzrAr43 =M/H6 -----END PGP SIGNATURE-----
In a message written on Sun, Mar 13, 2011 at 12:45:04PM +0100, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
One of the things you have to remember is that ISP's get a ton of reports, and most of them are of very low quality. Abuse queues are full of people who sign up for a properly run mailing list and then a year or two later mail abuse to get taken off saying its now spam. Or folks who misconfigure their firewall / IDS and send in reports of being DDOSed, by a nameserver, to which they are sending queries and then flagging the responses as an "attack". There are a lot of reports that don't include either the source or destination IP, or leave out any time information. Worst of all, there are the automated reports where someone has a different opinion than the law, or even reality. They create systems to basically DDOS abuse@, by reporting every case they can find individually when in fact the "spammer" is doing things legally and properly. Of course it varies greatly ISP to ISP, depends on customer mix, time of the day, time of the year and all sorts of other factors. Still, there are times when I would say less than 1 in 50 e-mails received to abuse@ is something that is a complete report and actionable Keep that in mind, along with what others have pointed out, that there is generally no "profit" in handling abuse. Quite frankly, most ISP's aren't going to take your DDOS report seriously via e-mail. If it's not bad enough to you that it is worth your time and money to make a phone call and help them track it down it is not worth their time and money to track it down and make it stop. In short, try picking up the phone. You'll bypass the entire e-mail reporting cesspool I just described, and show the ISP you actually care. 9 out of 10 times they will respond by showing they care as well. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Op 14-3-2011 0:21, Leo Bicknell schreef:
Quite frankly, most ISP's aren't going to take your DDOS report seriously via e-mail. If it's not bad enough to you that it is worth your time and money to make a phone call and help them track it down it is not worth their time and money to track it down and make it stop.
In short, try picking up the phone. You'll bypass the entire e-mail reporting cesspool I just described, and show the ISP you actually care. 9 out of 10 times they will respond by showing they care as well.
Quite frankly, been there, done that, got the t-shirt. And the answer I get most of the time there is: [loop] - Sorry, email abuse and wait for a reply - Sorry, I can't help you, wait for a reply on your abuse email - Sorry, there is nothing I can do, my hands are bound, wait for a reply from the abuse department [/loop] So much regarding the 9 out of 10. It's the 1 remaining that actually cares and tries something.
On Sun, 13 Mar 2011, Leo Bicknell wrote:
Quite frankly, most ISP's aren't going to take your DDOS report seriously via e-mail. If it's not bad enough to you that it is worth your time and money to make a phone call and help them track it down it is not worth their time and money to track it down and make it stop.
In short, try picking up the phone. You'll bypass the entire e-mail reporting cesspool I just described, and show the ISP you actually care. 9 out of 10 times they will respond by showing they care as well.
In my experience, most phone calls cause the ISP to become immediately hostile. They find abuse report phone calls extremely threatening / scary / etc. and go into full shields-up mode. 9 out of 10 times the very first words out of their mouth is "talk to our lawyers". the remaining 1 out of 10 is "block it on your end". Email tends to be non threatening. As useless as it tends to be, it is still generally better than calling. the real cesspool is POC registries. i wish arin would start revoking allocations for entities with invalid POCs.
Depends on what you're yelling at them about and what you tell them. I've picked up the phone and had a NOC guy at a russian SP (can't remember which, Caravan I think) kill off a syn flood that was hitting us promptly, at like 1 AM their time. On Mon, Mar 14, 2011 at 7:05 AM, <goemon@anime.net> wrote:
In my experience, most phone calls cause the ISP to become immediately hostile. They find abuse report phone calls extremely threatening / scary / etc. and go into full shields-up mode. 9 out of 10 times the very first words out of their mouth is "talk to our lawyers". the remaining 1 out of 10 is "block it on your end".
Email tends to be non threatening. As useless as it tends to be, it is still generally better than calling.
the real cesspool is POC registries. i wish arin would start revoking allocations for entities with invalid POCs.
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On 3/13/11 9:35 PM, goemon@anime.net wrote:
the real cesspool is POC registries. i wish arin would start revoking allocations for entities with invalid POCs.
Hear, hear! Leo's remembering the old days (80s - early '90s), when we checked whois and called each others' NOCs directly. That stopped working, and we started getting front line support, who's whole purpose was to filter. Nowadays, I've often been stuck in voice prompt or voice mail hell, unable to get anybody on the phone, and cannot get any response from email, either. Ever. The big ILECs are the worst. What we need is an "abuse" for ARIN, telling them the contacts don't work properly, which ARIN could verify, revoke the allocation, and send notice to the upstream telling them to withdraw the route immediately. Force them to go through the entire allocation process from the beginning, and always assign a new block. That might make them take notice.... And shrink the routing table! Win, win! Since we'd only send notification to ARIN about an actual problem, we'd only drop the real troublemakers. To help enforce that, ARIN would also verify the reporter's contacts. :-)
In a message written on Mon, Mar 14, 2011 at 12:11:54PM -0400, William Allen Simpson wrote:
Leo's remembering the old days (80s - early '90s), when we checked whois and called each others' NOCs directly. That stopped working, and we started getting front line support, who's whole purpose was to filter. Nowadays, I've often been stuck in voice prompt or voice mail hell, unable to get anybody on the phone, and cannot get any response from email, either. Ever. The big ILECs are the worst.
If you're a network operator, you probably know much better resources for getting phone numbers. That's not to say I wouldn't like to see ARIN records cleaned up, I fought that battle for a number of years. INOC DBA? Peeringdb.com? puck.nether.net/netops? I hate to say it, but if you're calling the number in Whois or on the front off www.foo.com then perhaps frontline support is exactly who you should be talking to about these issues. The entire purpose of any support organization is to filter to the appropriate folks. The more clue you show in directing your query, the more clue you'll get in response. Also, it can help if you follow the relationships. Consider two "regional" networks and two "international backbone providers", so you have a network path like: R1----ISP1----ISP2----R2 I understand we'd all like it to work that if R1 needs to reach R2 they call them directly. However sometimes calling ISP1 and making them get involved allows them to get the attention of ISP2, and finally them to get R2 to do something. I can't think of a time I wasn't able to get ahold of the right folks when I needed to do so, using publically available information. But then I don't bother people about a few spams, or 1Mbps "DDOS's", remain calm when I call, provide lots of information, and have a realistic expectation of how quickly they might be able to respond. Having answered abuse phones off and on for many years I can tell you that's the exception, not the rule. More common is to get someone calling to scream at you for 15 minutes about how you're destroying his livelyhood only to figure out that his box was misconfigured. Funny how you never even get an "I'm sorry" when that happens. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On 3/14/2011 12:11 PM, William Allen Simpson wrote:
On 3/13/11 9:35 PM, goemon@anime.net wrote:
the real cesspool is POC registries. i wish arin would start revoking allocations for entities with invalid POCs.
Hear, hear!
Leo's remembering the old days (80s - early '90s), when we checked whois and called each others' NOCs directly. That stopped working, and we started getting front line support, who's whole purpose was to filter. Nowadays, I've often been stuck in voice prompt or voice mail hell, unable to get anybody on the phone, and cannot get any response from email, either. Ever. The big ILECs are the worst.
What we need is an "abuse" for ARIN, telling them the contacts don't work properly, which ARIN could verify, revoke the allocation, and send notice to the upstream telling them to withdraw the route immediately.
Define "contacts don't work properly". - Email / phone number does not exist? - Email / phone was answered by unhelpful person? - Your particular issue provided in email / phone call was not addressed immediately (or within a timeframe that *you* see as appropriate)? The first can be verified objectively. The others are subjective and impossible to verify.
Force them to go through the entire allocation process from the beginning, and always assign a new block. That might make them take notice.... And shrink the routing table! Win, win!
Since we'd only send notification to ARIN about an actual problem, we'd only drop the real troublemakers. To help enforce that, ARIN would also verify the reporter's contacts. :-)
On Mon, 14 Mar 2011 12:35:27 EDT, David Miller said:
Define "contacts don't work properly". - Email / phone number does not exist? - Email / phone was answered by unhelpful person?
Somewhere between these two should be "email/phone number exists, but is completely unable to serve the function" (auto-responders that tell you they can't act on your report without the information that was already in the note they are auto-responding to, in the format they requested, Level 1 desk unable to escalate to a Level 2, etc etc).
On 3/14/2011 2:13 PM, Valdis.Kletnieks@vt.edu wrote:
On Mon, 14 Mar 2011 12:35:27 EDT, David Miller said:
Define "contacts don't work properly". - Email / phone number does not exist? - Email / phone was answered by unhelpful person? Somewhere between these two should be "email/phone number exists, but is completely unable to serve the function" (auto-responders that tell you they can't act on your report without the information that was already in the note they are auto-responding to, in the format they requested, Level 1 desk unable to escalate to a Level 2, etc etc).
My favorite is: -----Original Message-----
After investigation, we have determined that this email message did not originate from the Yahoo! Mail system. It appears that the sender of this message forged the header information to give the impression that it came from the Yahoo! Mail system.
Original Message Follows: -------------------------
Received: from nm20.bullet.mail.ac4.yahoo.com (nm20.bullet.mail.ac4.yahoo.com [98.139.52.217])
-- /Jason
On 3/14/11 9:11 AM, William Allen Simpson wrote:
On 3/13/11 9:35 PM, goemon@anime.net wrote:
the real cesspool is POC registries. i wish arin would start revoking allocations for entities with invalid POCs.
Hear, hear!
Leo's remembering the old days (80s - early '90s), when we checked whois and called each others' NOCs directly. That stopped working, and we started getting front line support, who's whole purpose was to filter. Nowadays, I've often been stuck in voice prompt or voice mail hell, unable to get anybody on the phone, and cannot get any response from email, either. Ever. The big ILECs are the worst.
What we need is an "abuse" for ARIN, telling them the contacts don't work properly, which ARIN could verify, revoke the allocation, and send notice to the upstream telling them to withdraw the route immediately.
Force them to go through the entire allocation process from the beginning, and always assign a new block. That might make them take notice.... And shrink the routing table! Win, win!
Since we'd only send notification to ARIN about an actual problem, we'd only drop the real troublemakers. To help enforce that, ARIN would also verify the reporter's contacts. :-) Distributing abusive IP addresses within IPv6 is not likely sustainable, nor would authenticating network reporters and actors. Filtering routes could be more manageable, and would leave dealing with compromised systems within popular networks. Calling for abuse management by ISPs might be an effective approach when structured not to conflict with maximizing profits. A Carbon Tax for abuse imposed by a governing organization to support an Internet remediation fund? :^)
-Doug
On 3/13/2011 7:45 AM, Alexander Maassen wrote:
Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care?
They really do take this serious as it cuts into productivity. Proof they care: http://www.infiltrated.net/voipabuse/responses/fortress-takes-abuse-serious.... -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
participants (18)
-
Alexander Maassen -
Andrew Kirch -
Brielle Bruns -
David Miller -
Douglas Otis -
Florian Weimer -
goemon@anime.net -
J. Oquendo -
Jason Bertoch -
Jeff Wheeler -
Joel Jaeggli -
Larry Brower -
Leo Bicknell -
sthaug@nethelp.no -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu -
William Allen Simpson -
William Pitcock