Status Report - Mail Bombing of World.std.com by Sprint Client + FAQ
We are now well into day four and about to enter day five of this. As of about 9PM EST the mail-bombing of world.std.com by the Sprint client iq-internet.com continues full bore. It had stopped between about 8AM EST until about 8PM EST Sunday 1/5/97 and then restarted leading me to believe someone at iq-internet.com manually restarted the mail-bombing. There is no reason to believe there were any 12 hour connectivity problems between us or similar external explanations, someone at iq-internet.com most likely noticed it had stopped and restarted it. Sprint's position (explained to me at around 8:45PM EST when I called to report this status, also emailed Sprint the logs) is that they will meet during business hours tomorrow (Monday 1/6/97) to discuss this issue. To save hearing the obvious suggestions etc again, increasing traffic on these lists here is a brief FAQ: Q1. Are you (std.com) a Sprint customer? A1: No, we are not. Q2: Why don't you just block it at your router? A2a: It's effectively blocked at our host, which no doubt is faster than the router anyhow (a 16 cpu SGI Challenge XL w/ 1.5GB ram), but this gives me full logs. A2b: Note that blocking it at the router does nothing to free up our bandwidth to the internet we are trying to provide to our customers. Since the path between our router and world.std.com is a 100mb/s FDDI letting it go that one more hop is inconsequential to the harm being done. Q3: Ok, why don't you ask your provider (Alternet) to block it? A3a: A lot of this has to do with Sprint's reluctance to deal with their customer in any timely manner (four days, including two weekdays, would seem sufficient for them to simply put one route block in at iq-internet.com's router.) I want the logs for now, I want the bigger problem which seems to prevent Sprint front-line NOC personnel from fixing operational problems fixed. Burying it as another router block at our end or our backbone provider's end doesn't deal with the real problem here, that Sprint has policies in place preventing them from dealing with malicious, disruptive and damaging customers. A3b: Yes Alternet has offered to do this as soon as I request it. Q4: Why don't you email bomb, SYN attack, etc the host doing this to you? A3: Although I have sent a lot of email to a lot of accounts at the host periodically asking them to stop I don't think malicious behavior will help get to the root problem here which is Sprint's policies forbidding their personnel from intervening into even the most egregious and outrageous abuse of network facilities without self-defeating and lengthy bureaucratic process (I think that's a fair characterization as we go into the FIFTH day of this.) Q5: Ok, why don't you redirect it to addresses at sprint or mailbomb them or something similar to get their attention? A5: Again, self-defeating. But it is nice to know the people who are empowered to make this decision are enjoying *THEIR* weekend. Q6: Do you believe this is an isolated incident or a real failure in policy at Sprint? It seems fairly outrageous that they can't stop a customer whose behavior is so malicious, it doesn't seem possible that the customer doesn't know that this has gone way beyond "spam". A6: I believe this is a total failure of express Sprint policy and not an isolated incident in any way. I have been told many times now by Sprint personnel (at their NOC) that official policy forbids them from acting against this mail-bombing and there exists no process to get a decision made otherwise which takes less than the five days it looks like it is going to take (eg, there's no single manager they can call who has the authority to order the route block or some action be taken, or these people feel they can put such decision-making off until it is convenient for them personally.) Q7: Well, I can see Sprint's reluctance to block this loathsome creature entirely from the net without some process, these are litigious times, but you're saying Sprint refuses to even block the single route between iq-internet.com (the mail-bomber) and your host? Is there any legitimate reason for this site to be able to get to your host? A7: Yes, I am saying that Sprint policy is such that their personnel is not authorized to install even one route block without lengthy bureaucratic process taking several days. Q8: Why do you think this is so? A8a: Because there is an atmosphere of fear, essentially, at Sprint's NOC and their personnel have been completely unempowered from taking operational actions they know are required of them to operate within the greater internet. Essentially, they (Sprint policy-makers) apparently believe that any damage to the greater internet or any host or site is less important than their ability to run internal bureaucratic process at whatever pace and using whatever management style which suits them. A8b: As far as I can tell once they identify a customer as a "spammer" then they can take no action against him, no matter what the actual behavior is. At this point this is clearly an operational/technical problem, the "spam" has been blocked for four days now, the spammer has been told this, yet messages are still being looped from his machine almost non-stop. It is only via some bizarre exercise in "mind-reading" that someone, in my opinion, could surmise that the perpetrator's intention is to deliver advertising to mailboxes at our site. Yet, Sprint personnel are not empowered to do anything about this without lengthy internal process. Q9: Wow, this is quite outrageous, I'd go so far as to say "scary". Many of us sit here naively thinking that large companies such as Sprint selling internet services basically do their jobs within some reasonable range of quality, but this sounds like a very deep and worrisome failure of management at Sprint. How can any network emergencies be taken care of if they won't let their front-line NOC personnel take any operational responsibility, and it takes days and days to escalate internally what seem to be relatively straightforward problems with straightforward solutions which really should be dealt with quickly, in minutes, or certainly a very few hours? A9: No comment. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989
On Sun, 5 Jan 1997, Barry Shein wrote:
We are now well into day four and about to enter day five of this.
As of about 9PM EST the mail-bombing of world.std.com by the Sprint client iq-internet.com continues full bore.
% /sbin/route add -host 208.8.32.10 lo0 __ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804
On Sun, 5 Jan 1997 22:00:39 -0500 (EST), you wrote:
On Sun, 5 Jan 1997, Barry Shein wrote:
We are now well into day four and about to enter day five of this.
As of about 9PM EST the mail-bombing of world.std.com by the Sprint client iq-internet.com continues full bore.
% /sbin/route add -host 208.8.32.10 lo0
And leave us without the lively discussion about how Sprint policy sucks? No waaaay.
Todd Graham Lewis Linux! Core Engineering
Dima
On Sun, 5 Jan 1997, Barry Shein wrote:
We are now well into day four and about to enter day five of this.
As of about 9PM EST the mail-bombing of world.std.com by the Sprint client iq-internet.com continues full bore.
% /sbin/route add -host 208.8.32.10 lo0
__ Todd Graham Lewis Linux! Core Engineering Mindspring Enterprises tlewis@mindspring.com (800) 719 4664, x2804
This will cause Barry to SYN-flood himself. The only way to block it is with incoming filters. If you block the outbound path back, you'll get SYNs, return SYN-acks, but never get those ACKed... Avi <Who did this to himself once>
On Jan 6, 1997, Avi Freedman wrote:
This will cause Barry to SYN-flood himself.
The only way to block it is with incoming filters.
Agreed. So, the question arises, why can't Barry do this? It seems to me to be the logical solution, since the source address is already known. -- +------------------------------------+--------------------------------------+ |Alec Peterson - ahp@hilander.com | Erols Internet Services, INC. | |Network Engineer | Springfield, VA. | +------------------------------------+--------------------------------------+
Barry Shein wrote: A7: Yes, I am saying that Sprint policy is such that their personnel is not authorized to install even one route block without lengthy bureaucratic process taking several days. Q8: Why do you think this is so? A8a: Because there is an atmosphere of fear, essentially, at Sprint's NOC and their personnel have been completely unempowered from taking operational actions they know are required of them to operate within the greater internet. Essentially, they (Sprint policy- makers) apparently believe that any damage to the greater internet or any host or site is less important than their ability to run internal bureaucratic process at whatever pace and using whatever management style which suits them. Cook: I wish Sprint no ill, for I would not like to see the big five become the big four. Yet I agree with most all of what Barry says. they ARE a strange bunch. MCI, UUNET, and BBN certainly do not suffer from the same sense of ennui. Indeed people at these providers have real three dimensional personalities. Sprint does not and seems to govern by committee. I have had two official interviews on the phone with them in the last year. They placed three executives on the one call and *four* on the other. The list of sprint allumni is pretty awesome. SprintLink has never had a spokesperson like a john curran, vint cerf, or mike O'dell. At least not for any length of time. First bob collet, vadim, then sean. All gone now. Last summer I was told that Sean Doran had occasionally angered some people..... who went looking for someone to hand Sean his head. They never could find anyone who had the authority, he said. Yet Sean now is gone. The same Sean who DID anger many but who seems to me to be one the sanest, most level headed, most articulate and most knowlegable people in this business, this Sean bit the dust in the space of less than a day early last september. Fired with no warning.... in the space it seemed of minutes. [I knew about it in less than 2 hours after it happened.] There are in the internet official and unofficial titles..... often the unofficial are in many ways the MORE important. Sean had some VERY important UNofficial titles. Given the demand for talent like his for Sprint to terminate him without notice as happened is virtually **incomprehensible.** Yet Sprint did so. Why? it makes no sense. But it certainly can explain the reference to fear within the Sprint NOC that Barry made. What if, in placing the filter to make Barry happy, a hapless SprintLink engineer unwittingly angered someone with considerably more power than Barry and caused another blow to descend from management? Why chance it? I have been told that Sean, endeavoring to carry out a known Sprint policy, angered an outside and powerful person last September. I have no proof of this 'rumor'. But if anyone does have any verifiable information as to exactly what DID happen I'd certainly like to know. Because, if Sprint did capitulate to an outside power in the way described to me, such action deserves to be made very public. I have discussed the specifics of the allegation with the key people directly involved. They all denied the allegation. But they also offered no alternative story. From what they told me all parties appear to have signed an agreement not to talk about what actually happened. I want to make very clear however that nothing I have heard indicates to me any shred of unprofessional behavior on Sean's part. I have the highest respect for him and, were I the responsible decision maker for a major provider, I'd be moving to get him working for me ASAP. Like it or not Sean was SprintLink's voice on the net. In view of his sudden demise I am not surprised to find that Barry has found a malaise.
From what i can tell the Sprint decision makers are the telco people and at least one and probably two levels above the OPs people -- telco people to whom the Internet is still terra incognita. A pity because it is certainly contrary to Sprint's interest to be the de facto training ground for the employees of its competitors.
If nanog folk deem this off topic, i'll be glad to remove nanog from future responses. ************************************************************************ The COOK Report on Internet For subsc. pricing & more than 431 Greenway Ave, Ewing, NJ 08618 USA ten megabytes of free material (609) 882-2572 (phone & fax) visit http://pobox.com/cook/ Internet: cook@cookreport.com For case study of MercerNet & TIIAP induced harm to local community http://pobox.com/cook/mercernet.html ************************************************************************
If nanog folk deem this off topic, i'll be glad to remove nanog from future responses.
As much as some people are complaining about it, I think it's an interesting and at least vaguely on-topic discussion. Like it or not, email and usenet spam handling is now a serious operational matter at internet providers at all levels and must be handled as with other network problems. What Barry is trying to do in posting it to these lists is to shame Sprint into taking action, a time honored tradition, if not often used on the Net. If Sprint is in fact failing to live up to its published policies regarding customers who are causing network abuse, then this is a very serious issue. Once it becomes public, the abusers will flock there and stay within the enforced rather than announced rules. -george william herbert gherbert@crl.com
I have been told that Sean, endeavoring to carry out a known Sprint policy, angered an outside and powerful person last September. I have no proof of this 'rumor'. But if anyone does have any verifiable information as to exactly what DID happen I'd certainly like to know. Because, if Sprint did capitulate to an outside power in the way described to me, such action deserves to be made very public. I have discussed the specifics of the allegation with the key people directly involved. They all denied the allegation. But they also offered no alternative story. From what they told me all parties appear to have signed an agreement not to talk about what actually happened. I want to make very clear however that nothing I have heard indicates to me any shred of unprofessional behavior on Sean's part. I have the highest respect for him and, were I the responsible decision maker for a major provider, I'd be moving to get him working for me ASAP.
In the rant explaning his departure that I got from Sean (the word bonehead was frequently used), he didn't mention anything about pissing someone off from outside, but I suppose it could have happened. He certainly pissed off many from outside for a long time - the question is, why would it matter all of a sudden :) Avi
If A2b is important to you, then you should immediately following through with A3b. <deletia>
A2b: Note that blocking it at the router does nothing to free up our bandwidth to the internet we are trying to provide to our customers. Since the path between our router and world.std.com is a 100mb/s FDDI letting it go that one more hop is inconsequential to the harm being done.
Q3: Ok, why don't you ask your provider (Alternet) to block it?
<deletia>
A3b: Yes Alternet has offered to do this as soon as I request it.
It strikes me that you're using this event as a vehicle to effect a desireable change at the expense of your customers. (And, some might argue, several mailing lists.) Or, it's really not affecting your customers all that much, in which case you may be inflating the severity of the harm being done. -David
participants (8)
-
ahp@hilander.com -
Avi Freedman -
Barry Shein -
David Kovar -
dvv@demos.su -
George Herbert -
Gordon Cook -
Todd Graham Lewis