nanog mailing list archives
Re: Abuse procedures... Reality Checks
From: Chris Owen <owenc () hubris net>
Date: Sat, 7 Apr 2007 16:35:35 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 7, 2007, at 4:20 PM, Frank Bulk wrote:
Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smallernetwork.
Well it sounds like the original poster is trying to punish the "network operator" by intentionally blocking innocent bystanders and therefore causing them grief so if that is your goal then a /24 seems like a decent arbitrary size. You are mostly sure you won't block across providers that way at least.
However, even if this isn't your goal it can be really hard sometimes to have any clue how big a netblock is for a particular IP address. ARIN may make small folks like us jump through hoops but apparently this isn't true for larger providers. We often run into abuse from IP addresses (or a range of addresses) where there is no rwhois sever and the entire /19 or larger is SWIPed as a single netblock. I've seen some really, really large blocks with absolutely no sub- delegation when clearly the addresses are sub-delegated.
We will often temporary block a /24 on email blacklists for instance. When you're getting pounded from a range of 30 or 50 IP addresses and can't get any response from the upstream then it is farily obvious they are less than white hat so we're willing to live with the collateral damage.
Chris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~ A stupidity tax Hubris Communications Inc www.hubris.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGA6nElUlCLUT2d0RAkWzAJ4mjXT5gwB0psG7e/YhmzUcFXhksgCgyx2g 5VDgB0KMLyMFIdVzrPaPGJI= =E5xl -----END PGP SIGNATURE-----
Current thread:
- RE: GoDaddy's abuse procedures [was: ICANNs role [was: Re: On-going ...]] Frank Bulk (Apr 07)
- Abuse procedures... Reality Checks J. Oquendo (Apr 07)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks J. Oquendo (Apr 07)
- Re: Abuse procedures... Reality Checks Peter Dambier (Apr 07)
- Re: Abuse procedures... Reality Checks Rich Kulawiec (Apr 07)
- Message not available
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks Chris Owen (Apr 07)
- Re: Abuse procedures... Reality Checks Stephen Satchell (Apr 07)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks Paul Vixie (Apr 08)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 07)
- Re: Abuse procedures... Reality Checks Rich Kulawiec (Apr 10)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 10)
- Re: Abuse procedures... Reality Checks Joseph S D Yao (Apr 10)
- Abuse procedures... Reality Checks J. Oquendo (Apr 07)