-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Rich Kulawiec <rsk@gsp.org> wrote: 1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.")
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGBIlq1pz9mNUZTMRAkLuAJ4sjBnZ1IF4FBjFvMn4NlgK7lZysgCg3gT2 8e9PswhChgNhDHnCsY+Yf9M= =oJaW -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Sat, 7 Apr 2007, Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -- Rich Kulawiec <rsk@gsp.org> wrote:
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.")
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs.
$.02,
Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks william@elan.net
If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson? Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: rsk@gsp.org; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -- Rich Kulawiec <rsk@gsp.org> wrote:
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.")
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs.
$.02,
Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks william@elan.net
On Sat, 7 Apr 2007, Frank Bulk wrote:
If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers?
All ISPs have AUPs that prohibit spam (or at least I hope all of you do) though are enforced at some places better then at others... But the point is that each and every customer ISP is responsible for following that AUP and is responsible for making sure their customers follow it as well. So to answer you the view is that even if ISP do not operate the network by providing services and ip addresses they in fact basically do operate in on higher level and are partially directly responsible for what happens there including enforcing its AUP on its sub-ISP or business customer (and making sure they enforce same AUP provisions on their customers). Chain of responsibility if you like to think of it that way...
And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson?
Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers.
Yes, of course blocking of larger ISP block would happen only after trying to notify ISP of the problem for each of every one of those subblocks did not lead to any results.
Frank
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: rsk@gsp.org; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -- Rich Kulawiec <rsk@gsp.org> wrote:
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.")
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs.
$.02,
Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible.
-- William Leibzon Elan Networks william@elan.net
That sounds like a very reasonable perspective and generally the route I follow both as a operator and as someone who works with others. Frank -----Original Message----- From: william(at)elan.net [mailto:william@elan.net] Sent: Saturday, April 07, 2007 6:23 PM To: Frank Bulk Cc: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Frank Bulk wrote:
If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers?
And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in
All ISPs have AUPs that prohibit spam (or at least I hope all of you do) though are enforced at some places better then at others... But the point is that each and every customer ISP is responsible for following that AUP and is responsible for making sure their customers follow it as well. So to answer you the view is that even if ISP do not operate the network by providing services and ip addresses they in fact basically do operate in on higher level and are partially directly responsible for what happens there including enforcing its AUP on its sub-ISP or business customer (and making sure they enforce same AUP provisions on their customers). Chain of responsibility if you like to think of it that way... protecting
themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson?
Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers.
Yes, of course blocking of larger ISP block would happen only after trying to notify ISP of the problem for each of every one of those subblocks did not lead to any results.
Frank
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: rsk@gsp.org; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Fergie wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -- Rich Kulawiec <rsk@gsp.org> wrote:
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.")
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs.
$.02,
Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible.
-- William Leibzon Elan Networks william@elan.net
If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers?
How can you tell that they don't operate a network from SWIP records? Seems to me that lots of network operators sell "managed services" to businesses which means that the network operator is the one operating the business customers' networks. Let's face it, the whole SWIP system and whois directory concept was poorly implemented way back in the 1980s and it is completely inadequate on an Internet that is thousands of times larger than it was when SWIP and whois were first developed. How many of you were aware that whois was originally intended to record all users of the ARPAnet from each site so that networking departments could justify the funds they were spending on high-speed 56k frame relay links? --Michael Dillon
On Mon, 9 Apr 2007 michael.dillon@bt.com wrote:
If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers?
How can you tell that they don't operate a network from SWIP records?
Seems to me that lots of network operators sell "managed services" to businesses which means that the network operator is the one operating the business customers' networks.
"OPERATING PARTS" of the business customers' networks ... 'managed services' means lots of things, anything from: "I'll manage your firewall" to "I'll manage that CPE router" to "I'll have feet on the street picking up crumbs in the hallways of your office buildings 24/7/365"... Assuming ... welp, that's dangerous :) So, what this is all getting back to (the whole 'abuse procedures' and 'dropping traffic because you dislike someone/some-ip/somecountry) is that essentially each site has the twin responsibilities to: 1) clean up their part of the network 2) decide who they want to accept traffic from The #1 above is only going to save you a minor amount of money (if any) and is going to assure that in the longer term your traffic might have a lower chance of being dropped by someone more draconian than you (say PaulV for instance). The #2 above is purely your own decision process, it may be driven by some business decisions/drivers (less money on email servers, less money on links, less firewall costs, customers that really do interact with <insert-bad-country-here>). You have to, as a network operator, decide how you want to deal with all of this. Taking any one person's opinion and using only that is surely going to lead to some bad decisions for your network.
On Sat, Apr 07, 2007 at 05:12:19PM -0500, Frank Bulk wrote:
If they're properly SWIPed why punish the ISP for networks they don't even
"punish"? Since when is it "punishment" to refuse to extend a privilege that's been repeatedly and systematically abused? (You have of course, absolutely no right whatsoever to expect any services of any kind from anyone other than those you've contracted for. Everything beyond that is a privilege, generously furnished to you at the whim of those operating the service. It may be restricted or withdrawn at any time, for any reason, with or without notice to you. Now as a general rule, we all have chosen to furnish those services -- by default and without limitation. But that doesn't turn them into entitlements.) The word "punish" is completely inapplicable in this context.
operate, that obviously belong to their business customers?
Questions: 1. Is your name on it in any way, shape or form? (This includes allocations.) 2. Is it emitting abuse? If the answers are "yes", then it's YOUR abuse. Trying to evade responsibility by claiming that "it's one of our customers" is just another pathetic excuse for incompetence.
Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers.
Unless of course the ISP or AS owner *are* the abuser under another name, or unless they're actively complicit. Both are quite common. Beyond that: any *competent* ISP or AS owner will already know about the abuse. They will have deployed measures designed to detect said abuse well before anyone else out there reports it to them. (Example: setting up their own spamtraps explicitly designed to catch their own customers.) By the time an external observer reports a problem to them, it should already be old news and already be well on its way to remediation. ---Rsk
On Fri, 13 Apr 2007, Rich Kulawiec wrote:
Since when is it "punishment" to refuse to extend a privilege that's been repeatedly and systematically abused?
It IS punishment if it's in response to some sort of undesired behavior, but it probably isn't UNJUSTIFIED punishment. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Victorville, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs.
How do you tell when they have actually done "due diligence". Existence of a SWIP record is essentially meaningless in this day and age. Many people do them automatically and there may well be nobody left on staff who knows that this is happening or what it all means. --Michael Dillon
On Sat, Apr 07, 2007 at 09:50:34PM +0000, Fergie wrote:
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs.
After thinking it over: I partly-to-mostly agree. In principal, yes. In practice, however, [some] negligent network operators have built such long and pervasive track records of large-scale abuse that their allocations can be classified into two categories: 1. Those that have emitted lots of abuse. 2. Those that are going to emit lots of abuse. In such cases, I'm not inclined to wait for (2) to become reality. ---Rsk
participants (7)
-
Chris L. Morrow -
Fergie -
Frank Bulk -
michael.dillon@bt.com -
Rich Kulawiec -
Steve Sobol -
william(at)elan.net