nanog mailing list archives
Re: Abuse procedures... Reality Checks
From: Rich Kulawiec <rsk () gsp org>
Date: Sat, 7 Apr 2007 16:32:58 -0400
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary?
1. There's nothing "indiscriminate" about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. ("Never build something you can't control.") Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise. We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?) 2. "necessary" is a relative term. Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overty hostile networks. That requires pro-active measures and it requires ones that have been proven to be effective. If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it. So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now. If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence. ---Rsk
Current thread:
- RE: GoDaddy's abuse procedures [was: ICANNs role [was: Re: On-going ...]] Frank Bulk (Apr 07)
- Abuse procedures... Reality Checks J. Oquendo (Apr 07)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks J. Oquendo (Apr 07)
- Re: Abuse procedures... Reality Checks Peter Dambier (Apr 07)
- Re: Abuse procedures... Reality Checks Rich Kulawiec (Apr 07)
- Message not available
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks Chris Owen (Apr 07)
- Re: Abuse procedures... Reality Checks Stephen Satchell (Apr 07)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks Paul Vixie (Apr 08)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks Rich Kulawiec (Apr 10)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 10)
- Re: Abuse procedures... Reality Checks Joseph S D Yao (Apr 10)
- Abuse procedures... Reality Checks J. Oquendo (Apr 07)