Re: Abuse procedures... Reality Checks
Last post for me on this thread... Dirty Networking 101 So the other morning I found a contact for a company who'll for now remain unamed, this contact is on this group...Sent them yet another message (3 this week): new message To whom it may concern, One of my servers has been heavily under attack for the past 24 hours from your IP space. There were 10726 attempts to log into my VoIP server within the last 24 hours. Please sanitize this machine from your network. Attached is the logfile. /new message 10726 attacks in a variety of forms. Why should I NOT ban this network and its clients from reaching my networks. Can someone please help me understand the logic of being called something akin to a crybaby, spoiled sport, unfair admin since I am now going to block their /17? On to semi-relevant news... For those who care: Support Intelligence analyzed 22,000 ASNs for every kind of eCrime including DDoS, Scanning, hosting Malware, sending Spam, hosting a phish, or transmitting viruses ... 17 of the 100 networks listed are from ARIN. Six of the seventeen are from Time Warner. 5 are from Comcast, 2 are from Charter. http://blog.support-intelligence.com/2007/04/doa-week-14-2007.html That's their record. I now have 52 hosts dumping out syslog records and can name about 30+ networks of which some of the engineers from them are on this list. So what is their left to do when points of contact fail miserably. Maybe I will take a crack at writing a document based on the amount of waste whether its bandwidth, time or money in blocking venomous hosts from my subnets. Costs, benefits, experience, pros, cons. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
Re: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 05:12:19PM -0500, Frank Bulk wrote: If they're properly SWIPed why punish the ISP for networks they don't even punish? Since when is it punishment to refuse to extend a privilege that's been repeatedly and systematically abused? (You have of course, absolutely no right whatsoever to expect any services of any kind from anyone other than those you've contracted for. Everything beyond that is a privilege, generously furnished to you at the whim of those operating the service. It may be restricted or withdrawn at any time, for any reason, with or without notice to you. Now as a general rule, we all have chosen to furnish those services -- by default and without limitation. But that doesn't turn them into entitlements.) The word punish is completely inapplicable in this context. operate, that obviously belong to their business customers? Questions: 1. Is your name on it in any way, shape or form? (This includes allocations.) 2. Is it emitting abuse? If the answers are yes, then it's YOUR abuse. Trying to evade responsibility by claiming that it's one of our customers is just another pathetic excuse for incompetence. Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Unless of course the ISP or AS owner *are* the abuser under another name, or unless they're actively complicit. Both are quite common. Beyond that: any *competent* ISP or AS owner will already know about the abuse. They will have deployed measures designed to detect said abuse well before anyone else out there reports it to them. (Example: setting up their own spamtraps explicitly designed to catch their own customers.) By the time an external observer reports a problem to them, it should already be old news and already be well on its way to remediation. ---Rsk
Re: Abuse procedures... Reality Checks
On Fri, 13 Apr 2007, Rich Kulawiec wrote: Since when is it punishment to refuse to extend a privilege that's been repeatedly and systematically abused? It IS punishment if it's in response to some sort of undesired behavior, but it probably isn't UNJUSTIFIED punishment. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Victorville, California PGP:0xE3AE35ED It's all fun and games until someone starts a bonfire in the living room.
RE: Abuse procedures... Reality Checks
On Wed, 11 Apr 2007, Frank Bulk wrote: It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run. There are several large ISPs (millions of subscribers) that have done away with TCP/25 altogether. If you want to send email thru the ISPs own email system you have to use TCP/587 (SMTP AUTH). Yes, this takes committment and resources, but it's been done successfully. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Abuse procedures... Reality Checks
Mikael Abrahamsson wrote: On Wed, 11 Apr 2007, Frank Bulk wrote: It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run. There are several large ISPs (millions of subscribers) that have done away with TCP/25 altogether. If you want to send email thru the ISPs own email system you have to use TCP/587 (SMTP AUTH). Yes, this takes committment and resources, but it's been done successfully. You don't even need to do that. We just filter TCP/25 outbound and force people to use our mail servers that have sensible rate limiting etc. People who use alternate SMTP servers can fill in a simple web form to have them added to the exception list. We have about 50 on this list so far. -- Leigh Porter
RE: Abuse procedures... Reality Checks
Citando Frank Bulk [EMAIL PROTECTED]: but imagine how much work it would save their abuse department in the long run I think that Comcast trouble isn't has much has the company's affected I keep the idea that the best is to rate limit incoming connections and a lot of filtering to prevent the spam flood and keep hardware costs Low. Placing the filtering on the user will make the user cry a lot against the ISP, change ISP and keep the problem. They really don't care about their computer. By using rate limit on incoming connections a lot of dynamic address's are blocked. Additionally, upper management gives or takes away manpower many times without the understanding of what 'should' be done to be a good netizen and this defines how much effort can be spent on fixing the problems. This is the biggest problem upper management really doesn't care and the time to use on this problems is not accounted. So controlling the number of messages that leave your SMTP server is a solution and PBL from spamhaus is a good thing ! SPF also good but will lead to complains ( tuff ) Blocking tcp destination port 25 to outside the network might work well on small and without concurrent ISP, on big ones I doubt it. Fernando Ribeiro http://www.tvtel.pt - Tvtel Comunicações S.A.
Re: Abuse procedures... Reality Checks
On Thursday 12 April 2007 06:14, Fernando André wrote: Citando Frank Bulk [EMAIL PROTECTED]: but imagine how much work it would save their abuse department in the long run I think that Comcast trouble isn't has much has the company's affected I keep the idea that the best is to rate limit incoming connections and a lot of filtering to prevent the spam flood and keep hardware costs Low. Placing the filtering on the user will make the user cry a lot against the ISP, change ISP and keep the problem. They really don't care about their computer. Agreed - 90-98% of end users could care less about their computer security, no matter who makes them look at the problem, they just want to chat with aunt {lilly|mary|other} in God knows where or to close that business deal in New York, They don't want to bother with ports, IP, firewalls, etc, and I don't think that will change easily. And as said previously, the person will ignore their ISP and cancel and move to another SP if the ISP hassles them with blocking their email, stopping certain apps, etc. This isn't only a spam problem. it's also a problem with personal machines getting botnetted, virus'd, trojan'd over and over and over again. Why? There's simply no end-user accountability. By using rate limit on incoming connections a lot of dynamic address's are blocked. Additionally, upper management gives or takes away manpower many times without the understanding of what 'should' be done to be a good netizen and this defines how much effort can be spent on fixing the problems. This is the biggest problem upper management really doesn't care and the time to use on this problems is not accounted. Agreed again - Upper management business-types that are not involved in the actual operations of their businesses are most of the time not clueful enough to realize the problems, no matter how many times people explain it to them, they simply only see if it's making them money. So controlling the number of messages that leave your SMTP server is a solution and PBL from spamhaus is a good thing ! SPF also good but will lead to complains ( tuff ) Blocking tcp destination port 25 to outside the network might work well on small and without concurrent ISP, on big ones I doubt it. Fernando Ribeiro http://www.tvtel.pt - Tvtel Comunicações S.A.
RE: Limiting email abuse by subscribers [was: Abuse procedures... Reality Checks]
Leigh: How many customers do you serve that you have just 50 exceptions? It's my understanding that the most efficient way to keep things clean for cable modem subscribers is to educate subscribers to use port 587 with SMTP AUTH for both the ISP's own servers and their customer's external mail server, and then block destination port 25 on the cable modem. For alternative access technologies, block destination port 25 on the access gear or core routers/firewalls. Regards, Frank -Original Message- From: Frank Bulk Sent: Thursday, April 12, 2007 7:48 AM To: Mikael Abrahamsson Cc: [EMAIL PROTECTED] Subject: Re: Abuse procedures... Reality Checks Mikael Abrahamsson wrote: On Wed, 11 Apr 2007, Frank Bulk wrote: It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run. There are several large ISPs (millions of subscribers) that have done away with TCP/25 altogether. If you want to send email thru the ISPs own email system you have to use TCP/587 (SMTP AUTH). Yes, this takes committment and resources, but it's been done successfully. You don't even need to do that. We just filter TCP/25 outbound and force people to use our mail servers that have sensible rate limiting etc. People who use alternate SMTP servers can fill in a simple web form to have them added to the exception list. We have about 50 on this list so far. -- Leigh Porter
Re: Abuse procedures... Reality Checks
Stephen Satchell wrote: SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server. Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it. Being I work at a US network operator and others who've been attacking my hosts come from US network operators, who can I complain to when some of the bigger fish not complying with these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network. If some of these companies can't follow the rules, then I see no need for me to discontinue punishing allocations on their CIDRs whenever my network is attacked since it seems to be the only method I found to 1) protect my networks and clients and 2) to get someone's attention. Which numbering authority do you work with day to day? Me? I work for an authority that many bigger provider should be following its guidelines and setting examples for smaller network operators. I shouldn't have to do the work for some of these bigger operators. I shouldn't have to send emails making them aware that 40 hosts on their /24 are sending out malicious traffic. Maybe ARIN staff should start re-writing policies and implementing out punishments. Guarantee you if operators were penalized for not following rules, for allowing filth to leave their networks, I bet you many maladies on the net would be cut substantially. Not going to be a popular stance to most of the bigger fish, but lets get real here, looking at normal everyday life, if a country were shipping rotten products, don't you think those in government would call for measures to halt these products else no business would occur with said country. Why not re-write policies to do the same with networks. I will always point to dampening/flapping on BGP as a baseline... Company X violates, null route them for a second or two until they comply. They still don't listen double the penalty and null route them twice the amount. Once their pockets start hurting, they'll get a clue. And if their engineers still don't get it, then management of that company would be fools to keep their lazy asses around. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
RE: Abuse procedures... Reality Checks
SWIP is a process used by organizations to submit information about downstream customer's address space reassignments to ARIN for inclusion in the WHOIS database. Its goal is to ensure the effective and efficient maintenance of records for IP address space. Lovely language but it ignores the existence of Rwhois and does not explain by what standard the effectiveness and efficiency is judged. SWIP is intended to: * Provide information to identify the organizations utilizing each subdelegated IP address block. * Provide registration information for each IP address block. * Track utilization of allocated IP address blocks to determine if additional allocations may be justified. This clearly omits any mention of network abuse. It doesn't even directly mention that contact information is supplied or what the contact info may/should be used for. It is heavily slanted towards a bureaucratic process for counting addresses to support decision-making about applications for additional address space. Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator, BT is also a US network operator. And a global network operator and a global network and security consulting firm. And some other stuff too like the project to run the entire UK telephone network over IP, 21CN. I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it. Which numbering authority do you work with day to day? ARIN. I have a long history with ARIN predating the existence of the organization and I was one of the founding members of the ARIN Advisory Council. I was not asking a typical dumb question here. The fact is that nobody really has a clear idea what SWIP is, why it exists, what it is for. What is the purpose and meaning of SWIP? Why is it different from RIPE or APNIC? All the answers I have ever seen boil down to It's traditional!. And I have spent a lot of effort in trying to track down older documents to see if there was any more clarity back in the early days of SWIP and whois, but I failed to find anything other than some references to budget justifications by ealry ARPANET managers. On two occasions I tried to address this by proposing some policy language to ARIN which would define the purpose and scope of the whois directory but the members were not interested in messing with tradition. The fact is that SWIP/whois/rwhois suck badly. Different groups of people have different ideas of what these things mean and the different ideas do not match. If I ask a waitress for two eggs over-easy I do not want to receive a slice of Quiche Lorraine. But in the world of SWIP/whois/rwhois, this is what we deal with every day. Network operators have a CRYING need for a database to identify contacts for dealing with network abuse issues. They try to use the whois directory for this, but too often it fails them because the people stuffing the info into the directory are merely following tradition to make sure that the numbers come up right the next time they apply for additional IP addresses. By the way, as a holder of an ARIN netblock allocation, you are *NOT* required to do SWIP. That is just another myth propogated by the holders of tradition and net folklore. Whenever you ask Why? and someone says, Because you are required to do it., they are really telling you not to think. You pointed me to a page written by ARIN staff as justification for your views about SWIP but you somehow missed the line which said: SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server. But, I take it a step further. Why should I believe what ARIN staff have written and why should I do what they tell me to do? What is their justification for writing this page? If you look in the ARIN policies it always uses the term SWIP in the context of efficient utilization. So why do they publish it in the whois directory? Why do people think that whois contains valid contact info? Why do people think that whois should contain contacts who are ready, willing and able to act on network abuse issues? The only reason people think these things is because it is traditonal net folklore. It was never part of the purpose and scope of SWIP/whois/Rwhois. --Michael Dillon
RE: Abuse procedures... Reality Checks
Maybe ARIN staff should start re-writing policies and implementing out punishments. Guarantee you if operators were penalized for not following rules, for allowing filth to leave their networks, I bet you many maladies on the net would be cut substantially. Sorry, that's not their job. That is *YOUR* job! http://lists.arin.net/mailman/listinfo/ppml Join the list and propose the new policy. And ARIN will never mete out punishments or act as a police force in any way because that is not in ARIN's charter. However, it could operate a whois directory that meets the needs of network operators fighting abuse, if said network operators would get off their butts, agree on a policy describing such a whois directory, and propose it to ARIN. It's like a lot of those people who complain about the Bush administration. If you asked them whether they voted Democrat in the last election, they often say no, they didn't vote at all. Well, you not only get what you vote for, but you also get what you don't vote against. Network operators who don't participate in ARIN policy development don't deserve to complain about anything ARIN-related. --Michael Dillon
Re: Abuse procedures... Reality Checks
On Wed, 11 Apr 2007 07:07:19 EDT, J. Oquendo said: these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network. And I want a pony. We don't even do a (near) universal job of filtering rfc1918 addresses and spoofed addresses. We aren't filtering obvious bogon packets, how do you propose we filter less obvious malicious traffic (is that SYN packet legit, or part of a DDOS, or just a slashdotting of a suddenly popular site?). pgpHf8kVhJolR.pgp Description: PGP signature
Re: Abuse procedures... Reality Checks
[EMAIL PROTECTED] wrote: * PGP Signed by an unverified key: 04/11/07 at 11:21:15 On Wed, 11 Apr 2007 07:07:19 EDT, J. Oquendo said: these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network. And I want a pony. We don't even do a (near) universal job of filtering rfc1918 addresses and spoofed addresses. We aren't filtering obvious bogon packets, how do you propose we filter less obvious malicious traffic (is that SYN packet legit, or part of a DDOS, or just a slashdotting of a suddenly popular site?). * Valdis Kletnieks [EMAIL PROTECTED] * 0xB4D3D7B0 - Unverified When you say we, speak for yourself and your own networks. There ARE some people who do take the time to properly design their networks. It is the same Well since Billy didn't do it neither will I attitude that makes me never think twice about blocking CIDR's. Since 'THEY' (your WE) didn't properly configure their network, why should I think twice about letting it into my backyard. I guess its calling for too much for network operators to actually do their work though and I guess considering IPv6 is like how many years away now, I can expect that much of a wait for people to implement what should have been done from the onset. I don't care how filtering gets done from someone else. Like I said if I can watch and control what comes out of my networks using raw tools on nix machines, you cannot with a straight face/typing method tell me that someone at one of these big providers can't clue themselves in to getting malicious traffic controlled. Should someone want to comment about oh golly the cost is outrageous I say bs... Its utter laziness from my eyes. So here I go politely pointing it out... If I can do it with a couple of thousand machines on my VERY OWN, not a team, not a department but me, in a matter of minutes, situate my network to not send out crap, then why can't these companies? I'd like to here something logical, not someone's opinion. Something like According to ARIN/IEEE specifications of foobarfoo, operators are not allowed to view traffic entering or leaving their networks which hinders this. There is no reason I could think of, no scenario I could imagine, that would prohibit network operators from putting the nail in the coffin with stuff LEAVING THEIR NETS. Note the word LEAVING now. If it doesn't leave, you wouldn't have complaints from some other operator now would you. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
Re: Abuse procedures... Reality Checks
On Apr 11, 2007, at 11:28 AM, J. Oquendo wrote: [EMAIL PROTECTED] wrote: * PGP Signed by an unverified key: 04/11/07 at 11:21:15 On Wed, 11 Apr 2007 07:07:19 EDT, J. Oquendo said: these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network. And I want a pony. We don't even do a (near) universal job of filtering rfc1918 addresses and spoofed addresses. We aren't filtering obvious bogon packets, how do you propose we filter less obvious malicious traffic (is that SYN packet legit, or part of a DDOS, or just a slashdotting of a suddenly popular site?). * Valdis Kletnieks [EMAIL PROTECTED] * 0xB4D3D7B0 - Unverified When you say we, speak for yourself and your own networks. There ARE some people who do take the time to properly design their networks. And I would suggest that Valdis is one of them From my reading of his message I understood that: A: Some people filter bad stuff. B: Some people don't. I don't think that it is unreasonable that he used we to include all network engineers -- we as a community does include A and B It is the same Well since Billy didn't do it neither will I attitude that makes me never think twice about blocking CIDR's. So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed? Since 'THEY' (your WE) didn't properly configure their network, why should I think twice about letting it into my backyard. I guess its calling for too much for network operators to actually do their work though Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a big, fat, doodoo head you would probably be less receptive than if I didn't... and I guess considering IPv6 is like how many years away now, I can expect that much of a wait for people to implement what should have been done from the onset. I don't care how filtering gets done from someone else. Like I said if I can watch and control what comes out of my networks using raw tools on nix machines, you cannot with a straight face/typing method tell me that someone at one of these big providers can't clue themselves in to getting malicious traffic controlled. Should someone want to comment about oh golly the cost is outrageous I say bs... Its utter laziness from my eyes. So here I go politely pointing it out... If I can do it with a couple of thousand machines on my VERY OWN, not a team, not a department but me, in a matter of minutes, situate my network to not send out crap, then why can't these companies? Yes, it is great that you are doing your bit to help keep the net clean. Congratulations and thank you. Perhaps you could write a nice, simple, friendly guide explaining how you ensure that your network is never the source of malicious traffic? And how this can be scaled up to work in a large, backbone network where? Perhaps you could politely contact those who are not doing their bit and, in a helpful manner explain how they could improve -- educating and encouraging change in those who are not doing their bit is much more likely to make things better than screaming You suck, I'm not going to accept your packets, nah nah nah. I'd like to here something logical, not someone's opinion. Something like According to ARIN/IEEE specifications of foobarfoo, operators are not allowed to view traffic entering or leaving their networks which hinders this. There is no reason I could think of, no scenario I could imagine, that would prohibit network operators from putting the nail in the coffin with stuff LEAVING THEIR NETS. Note the word LEAVING now. If it doesn't leave, you wouldn't have complaints from some other operator now would you. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams I suspect that I should have just stayed out of this thread W -- Go on, prove me wrong. Destroy the fabric of the universe. See if I care. -- Terry Prachett
Re: Abuse procedures... Reality Checks
Warren Kumari wrote: So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed? You confused two things. 1) I do my best to stop malicious traffic from leaving my network. With this said, if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained to them that either their machine, or a machine on their network was doing something fuzzy therefore they were blocked. Most are actually thankful that it was pointed out to them as opposed to having to wait for Security Company X to update its virus/spamware definitions. 2) I do not block getting TO company X at first signs of garbage coming into my network from them. I've always contacted someone to some degree so don't misconstrue my actions as I block the first packets I see. On the contrary I only block CIDR's after about 3 attempts at getting someone to assess their network. After that, I begin with services. This is my network so this is how it pans out... Spam? A CIDR to my email ports are blocked. SSH brute forcing, etc., those ports are blocked. Network who's blocked on ports continues, everything is then blocked. Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a big, fat, doodoo head you would probably be less receptive than if I didn't... What does being polite and matter of factly have to do with administrators cleaning up their networks? Should I beg an administrator of some network to be polite and not refer me to their generic abuse desk who'll do nothing about the issue? I actually am a little too polite in the fact that 1) I'm doing network operators a favor pointing them out to rogue hosts on THEIR networks not mines. If they want to continue hosting said rogue idiots, their problem. I won't be allowing it into my range. If you knew me personally, or have dealt with me, I can guarantee you within minutes of you contacting me for something I would be on it. I as an admin/engineer whatever you want to call me would want to make sure that nothing internal to me is affecting anyone else since it is likely to make things more difficult for me if left unchecked. So on issues of politeness, I am being polite contacting people. I'm being double polite posting evil doing networks on my personal site so others can be aware that These networks are infected. Here are there hosts if you want to block them. I do this on my own spare time, my own expense, and my own filtering of the denials of service that ensue when some botnet reject sees me post a percentage of his botnet. So please don't my messages as anything other than Hey... When is someone going to deal with this? frustration targeted at those with the power to do actually something about it instead of waiting for someone else to take the first move. Analogy: You live in a house and sweep your property. Your neighbors don't. Would you stop sweeping your house? Would you keep your house dirty simply because the majority around you do? I'm sure if you convinced the most visible neighbor to make a change, the others would follow suit. Heck in some areas those neighbors who didn't comply would face fines after some point. Why not bring this chain of thought to a network you maintain/manage. As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow. If some can't follow normal standards set by governmental bodies (for lack of better terms), what makes you think someone would say Gee... That Oquendo sure wrote a nice document... Let me follow it How about following standards and using good old fashioned common sense. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams smime.p7s Description: S/MIME Cryptographic Signature
Re: Abuse procedures... Reality Checks
: if someone cannot get out somewhere, they're obviously : going to get in touch with me as to why. Once this is : done, it is explained : I've always contacted someone : after about 3 attempts at getting someone to assess : their network I know from experience this doesn't scale into the hundreds of thousands of customers and can only imagine the big ass eyeball network's scalability issues... scott --- [EMAIL PROTECTED] wrote: From: J. Oquendo [EMAIL PROTECTED] To: nanog@merit.edu Cc: Warren Kumari [EMAIL PROTECTED] Subject: Re: Abuse procedures... Reality Checks Date: Wed, 11 Apr 2007 13:49:40 -0400 Warren Kumari wrote: So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed? You confused two things. 1) I do my best to stop malicious traffic from leaving my network. With this said, if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained to them that either their machine, or a machine on their network was doing something fuzzy therefore they were blocked. Most are actually thankful that it was pointed out to them as opposed to having to wait for Security Company X to update its virus/spamware definitions. 2) I do not block getting TO company X at first signs of garbage coming into my network from them. I've always contacted someone to some degree so don't misconstrue my actions as I block the first packets I see. On the contrary I only block CIDR's after about 3 attempts at getting someone to assess their network. After that, I begin with services. This is my network so this is how it pans out... Spam? A CIDR to my email ports are blocked. SSH brute forcing, etc., those ports are blocked. Network who's blocked on ports continues, everything is then blocked. Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a big, fat, doodoo head you would probably be less receptive than if I didn't... What does being polite and matter of factly have to do with administrators cleaning up their networks? Should I beg an administrator of some network to be polite and not refer me to their generic abuse desk who'll do nothing about the issue? I actually am a little too polite in the fact that 1) I'm doing network operators a favor pointing them out to rogue hosts on THEIR networks not mines. If they want to continue hosting said rogue idiots, their problem. I won't be allowing it into my range. If you knew me personally, or have dealt with me, I can guarantee you within minutes of you contacting me for something I would be on it. I as an admin/engineer whatever you want to call me would want to make sure that nothing internal to me is affecting anyone else since it is likely to make things more difficult for me if left unchecked. So on issues of politeness, I am being polite contacting people. I'm being double polite posting evil doing networks on my personal site so others can be aware that These networks are infected. Here are there hosts if you want to block them. I do this on my own spare time, my own expense, and my own filtering of the denials of service that ensue when some botnet reject sees me post a percentage of his botnet. So please don't my messages as anything other than Hey... When is someone going to deal with this? frustration targeted at those with the power to do actually something about it instead of waiting for someone else to take the first move. Analogy: You live in a house and sweep your property. Your neighbors don't. Would you stop sweeping your house? Would you keep your house dirty simply because the majority around you do? I'm sure if you convinced the most visible neighbor to make a change, the others would follow suit. Heck in some areas those neighbors who didn't comply would face fines after some point. Why not bring this chain of thought to a network you maintain/manage. As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow. If some can't follow normal standards set by governmental bodies (for lack of better terms), what makes you think someone would say Gee... That Oquendo sure wrote a nice document... Let me follow it How about following standards and using good old fashioned common sense. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
Re: Abuse procedures... Reality Checks
On Apr 11, 2007, at 2:53 PM, Scott Weeks wrote: : if someone cannot get out somewhere, they're obviously : going to get in touch with me as to why. Once this is : done, it is explained : I've always contacted someone : after about 3 attempts at getting someone to assess : their network I know from experience this doesn't scale into the hundreds of thousands of customers and can only imagine the big ass eyeball network's scalability issues... scott Hear hear... Scaling process and procedures is often as hard or harder than scaling technical things... Unfortunately, the lesson that scaling either is hard is only really something that one can learn through experience -- I know that I for one used to believe (as I would bet did most of us) that you could scale just by buying a bigger X, where X could be a router, circuit, etc. If that didn't work you could always just buy another X (or a bunch more Xs) -- this strategy works up to a point, after which it all goes pear-shaped. Until you have experienced this firsthand it is hard to truly understand. The same thing happens with things like abuse -- it is easy to deal with abuse on a small scale. It is somewhat harder on a medium scale and harder still on a large scale -- the progression from small to medium to large is close to linear. At some point though the difficulty suddenly hockey-sticks and becomes distinctly non-trivial -- this doesn't mean that it is impossible, nor that you should give up, but rather that a different approach is needed. Understanding this is harder than understanding why you cannot grow your network just by buying more X. W --- [EMAIL PROTECTED] wrote: From: J. Oquendo [EMAIL PROTECTED] To: nanog@merit.edu Cc: Warren Kumari [EMAIL PROTECTED] Subject: Re: Abuse procedures... Reality Checks Date: Wed, 11 Apr 2007 13:49:40 -0400 Warren Kumari wrote: So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed? You confused two things. 1) I do my best to stop malicious traffic from leaving my network. With this said, if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained to them that either their machine, or a machine on their network was doing something fuzzy therefore they were blocked. Most are actually thankful that it was pointed out to them as opposed to having to wait for Security Company X to update its virus/spamware definitions. 2) I do not block getting TO company X at first signs of garbage coming into my network from them. I've always contacted someone to some degree so don't misconstrue my actions as I block the first packets I see. On the contrary I only block CIDR's after about 3 attempts at getting someone to assess their network. After that, I begin with services. This is my network so this is how it pans out... Spam? A CIDR to my email ports are blocked. SSH brute forcing, etc., those ports are blocked. Network who's blocked on ports continues, everything is then blocked. Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a big, fat, doodoo head you would probably be less receptive than if I didn't... What does being polite and matter of factly have to do with administrators cleaning up their networks? Should I beg an administrator of some network to be polite and not refer me to their generic abuse desk who'll do nothing about the issue? I actually am a little too polite in the fact that 1) I'm doing network operators a favor pointing them out to rogue hosts on THEIR networks not mines. If they want to continue hosting said rogue idiots, their problem. I won't be allowing it into my range. If you knew me personally, or have dealt with me, I can guarantee you within minutes of you contacting me for something I would be on it. I as an admin/engineer whatever you want to call me would want to make sure that nothing internal to me is affecting anyone else since it is likely to make things more difficult for me if left unchecked. So on issues of politeness, I am being polite contacting people. I'm being double polite posting evil doing networks on my personal site so others can be aware that These networks are infected. Here are there hosts if you want to block them. I do this on my own spare time, my own expense, and my own filtering of the denials of service that ensue when some botnet reject sees me post a percentage of his botnet. So please don't my messages as anything other than Hey... When is someone going to deal with this? frustration targeted at those with the power to do actually something about
Re: Abuse procedures... Reality Checks
On Apr 11, 2007, at 10:32 AM, Warren Kumari wrote: Perhaps you could write a nice, simple, friendly guide explaining how you ensure that your network is never the source of malicious traffic? Identify your ownership, and ensure contact information is accurate and well attended. Inconsiderate anonymous behavior is a typical failing, where there is no excuse for remaining ignorant of abusive activity. -Doug
Re: Abuse procedures... Reality Checks
On Tue, Apr 10, 2007 at 07:44:59AM -0500, Frank Bulk wrote: Comcast is known to emit lots of abuse -- are you blocking all their networks today? All? No. But I shouldn't find it necessary to block ANY, and wouldn't, if Comcast wasn't so appallingly negligent. ( I'm blocking huge swaths of Comcast space from port 25. This shouldn't really surprise anyone; Comcast runs what may well be the most prolific spam-spewing network in the world. I saw attempts from 80,000+ distinct IP addresses during January 2007 alone -- to a *test* mail server. I should have seen zero. The mitigation techniques for making that happen are well-known, have been well-known for years, and can be implemented easily by any competent organization.) This, by the way, should not be taken as indicative of either what I've done in the past or may do in the future. Nor should it be taken as indicative of what decisions I've made in re other networks. ---Rsk
Re: Abuse procedures... Reality Checks
On Wed, Apr 11, 2007 at 03:44:01PM -0400, Warren Kumari wrote: The same thing happens with things like abuse -- it is easy to deal with abuse on a small scale. It is somewhat harder on a medium scale and harder still on a large scale -- the progression from small to medium to large is close to linear. First, I don't buy this. I think dealing with abuse is *much* easier for large operations than small. But suppose you're right. Let me concede that point for the purpose of making my second point (and generic you throughout, BTW): Second, I don't really care how hard it is. It's YOUR network, YOU built it, YOU plugged it into our Internet: therefore, however hard it is, it's YOUR problem. Fix it. Or if you choose not to: at least stop whining about how much you don't like the way in which other people try to partially compensate for YOUR failure. ---Rsk
RE: Abuse procedures... Reality Checks
As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow. Because you might be a better writer than those other folks. You might be able to present the right balance of technical detail and policy goals to be understood by a larger number of people. People often ask me to advise them which book they should buy to learn language X fast. X being French or Russian or German etc. I always give the same advice. Go to a good bookstore that stocks a large choice of books in your chosen language. In some cities that means the local university bookshop, in others there may even be a specialist bookshop that sells just language books. The important thing is that you go and look at several different books, compare them to one another and FIND THE ONE WHOSE AUTHOR SPEAKS TO YOU. Find the writer whose writing matches your way of thinking. Other than that, buy one dictionary that you can carry with you all day long, one beginners book, and one graded reader to start. Every 6 months, go back to this (or another) shop and look over the selection again because you may have advanced to the point where additional books/CDs will help. And always avoid beginners books which do not use the native alphabet of the language you are learning, a particular problem with Japanese. In the masses of content that is indexed by Google, we need MORE variety, not less. Please do try to write something if you can. --Michael Dillon
RE: Abuse procedures... Reality Checks
I know from experience this doesn't scale into the hundreds of thousands of customers and can only imagine the big ass eyeball network's scalability issues... Hear hear... Scaling process and procedures is often as hard or harder than scaling technical things... It's true. But the big networks hire people who understand scaling issues and know how to make things work. It's not up to us to solve their scaling problem. If you can define a mechanism that will work on smaller networks to achieve a goal, and if that goal is worthwhile achieving, the the big networks will get their scalability networks to scale it up. There is a similar problem in chemicals where researchers create new compounds in the laboratory and then hand the details over to scaling experts who know how to change the process to work on the scale of a factory. And it's not unusual to see chemical factories that are acres in size. The same thing happens with things like abuse -- it is easy to deal with abuse on a small scale. It is somewhat harder on a medium scale and harder still on a large scale -- the progression from small to medium to large is close to linear. At some point though the difficulty suddenly hockey-sticks and becomes distinctly non-trivial -- this doesn't mean that it is impossible, nor that you should give up, but rather that a different approach is needed. Understanding this is harder than understanding why you cannot grow your network just by buying more X. Yes this is true. But the people who find different approaches need to see how the smaller networks solve a problem. Their skill is not in finding solutions to abuse, but in figuring out how to restructure an abuse solution to work on a huge scale. --Michael Dillon
Re: Abuse procedures... Reality Checks
--- [EMAIL PROTECTED] wrote: On Wed, Apr 11, 2007 at 03:44:01PM -0400, Warren Kumari wrote: The same thing happens with things like abuse -- it is easy to deal with abuse on a small scale. It is somewhat harder on a medium scale and harder still on a large scale -- the progression from small to medium to large is close to linear. : First, I don't buy this. I think dealing with abuse is *much* : easier for large operations than small. The original email I sent was about *how* you deal with it. J. Oquendo vociferously defended his position when he finally got around to saying, ...if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained [...] I've always contacted someone [...] after about 3 attempts at getting someone to assess their network... I said this doesn't scale even to hundreds of thousands of customers much less higher numbers. There are definitely scaling issues with this method of dealing with abuse. You can't just hire more phone monkeys linearly to the number of customers you have. snip : Second, I don't really care how hard it is. It's YOUR network, YOU : built it, YOU plugged it into our Internet: therefore, however hard : it is, it's YOUR problem. Fix it. Not always. I have inherited various networks over the years that were already built by folks that didn't care. You do the best you can to get it to as good a network as possible, but you never completely reach the goal of good. Additionally, upper management gives or takes away manpower many times without the understanding of what 'should' be done to be a good netizen and this defines how much effort can be spent on fixing the problems.The only thing a person can really do is quit and move on. That's not always an option. There're very few interesting-to-operate networks here in Hawaii. So, you focus on the top priorities: keeping the current customers and getting more by operating the network in as efficient a manner as possible. Myself, I work outside business hours to try to be a good guy, fix stuff and serve the Hawaiian community in an altruistic manner, but there's only so much stuff one person can do. snip scott
RE: Abuse procedures... Reality Checks
It truly is a wonder that Comcast doesn't apply DOCSIS config file filters on their consumer accounts, leaving just the IPs of their email servers open. Yes, it would take an education campaign on their part for all the consumers that do use alternate SMTP servers, but imagine how much work it would save their abuse department in the long run. Frank -Original Message- From: Frank Bulk Sent: Wednesday, April 11, 2007 5:10 PM To: 'nanog@merit.edu' Subject: Re: Abuse procedures... Reality Checks On Tue, Apr 10, 2007 at 07:44:59AM -0500, Frank Bulk wrote: Comcast is known to emit lots of abuse -- are you blocking all their networks today? All? No. But I shouldn't find it necessary to block ANY, and wouldn't, if Comcast wasn't so appallingly negligent. ( I'm blocking huge swaths of Comcast space from port 25. This shouldn't really surprise anyone; Comcast runs what may well be the most prolific spam-spewing network in the world. I saw attempts from 80,000+ distinct IP addresses during January 2007 alone -- to a *test* mail server. I should have seen zero. The mitigation techniques for making that happen are well-known, have been well-known for years, and can be implemented easily by any competent organization.) This, by the way, should not be taken as indicative of either what I've done in the past or may do in the future. Nor should it be taken as indicative of what decisions I've made in re other networks. ---Rsk
RE: Abuse procedures... Reality Checks
I have to disagree. SWIP is not meaningless. In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means. And I talk with plenty of other companies that fall into the same boat. In short I find this one comment below to be argumentive and full of conjecture. No more argumentative and full of conjecture than your posting. I said that there were SOME companies where SWIP is just a mysterious automated process and nobody on staff fully understands the meaning of it, beyond the fact that it needs to be done to help get approval for that next allocation request. The fact that SOME companies do have a process for managing SWIP as they understand it, does not mean that there are no delinquents. I also find it curious that you claim to have people on staff at your company who know what SWIP means. Perhaps you could ask them to share that information with us since I have never seen this documented anywhere. Do they really know what you claim they know? --Michael Dillon
Re: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 09:50:34PM +, Fergie wrote: I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. After thinking it over: I partly-to-mostly agree. In principal, yes. In practice, however, [some] negligent network operators have built such long and pervasive track records of large-scale abuse that their allocations can be classified into two categories: 1. Those that have emitted lots of abuse. 2. Those that are going to emit lots of abuse. In such cases, I'm not inclined to wait for (2) to become reality. ---Rsk
Re: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 04:20:59PM -0500, Frank Bulk wrote: Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it? Because experience...long, bitter experience...strongly indicates that what happens today often merely presages what will happen tomorrow. Because I haven't got unlimited time. Or money. Or resources. Because I haven't got unlimited WHOIS queries. (Although I and everyone else *should* have those. There are no valid reasons to rate-limit any form of WHOIS query.) Because there are way, WAY too many incompetently-managed networks whose operators can often be heard complaining about the abuse inbound to them at the same time they fail to take rudimentary measures to control the abuse outbound from them. cough port 25 blocking cough Because I was more patient for the first decade or two, and it proved to be a losing strategy. Because This Is Not My Problem. If by chance someone benign has chosen to locate their operation in known-hostile, known-negligently-operated network space, then their failure to perform due diligence may have consequences for them. I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism. 1. Gratuitously labeling carefully-considered measures as random is not a route to productive conversation. 2. It is hardly vigilantism to take passive measures to protect one's network/systems/users from hostile activity. Doubly so when those measures consist merely of a refusal to grant a *privilege* after it's been repeatedly, systemically abused. ---Rsk
RE: Abuse procedures... Reality Checks
Comcast is known to emit lots of abuse -- are you blocking all their networks today? Frank -Original Message- From: Frank Bulk Sent: Tuesday, April 10, 2007 7:43 AM To: nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, Apr 07, 2007 at 09:50:34PM +, Fergie wrote: I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. After thinking it over: I partly-to-mostly agree. In principal, yes. In practice, however, [some] negligent network operators have built such long and pervasive track records of large-scale abuse that their allocations can be classified into two categories: 1. Those that have emitted lots of abuse. 2. Those that are going to emit lots of abuse. In such cases, I'm not inclined to wait for (2) to become reality. ---Rsk
RE: Abuse procedures... Reality Checks
Because I haven't got unlimited WHOIS queries. (Although I and everyone else *should* have those. There are no valid reasons to rate-limit any form of WHOIS query.) Yes there are. The current whois returns way more information on a query than you need for network operations. That's because the current whois was designed back in the 1970's so that ARPANET network managers could identify all the users of the network in order to help them make the business case for their budget requests to cover the cost of high-speed 56k frame relay links. There is no good reason to rate-limit a query that takes an IP address (or IP address range or CIDR block) and returns with a list of database record identifiers for the enclosing blocks. The record identifiers for organizations who directly received an allocation or assignment from ARIN would be their org-id. The other ones, SWIP records, would have some fixed database key like REASG200622812536. If no REASsiGnment record exists, you now have the orgid to contact and have no need to do an additional query if they are a known organization. If the REASiGnment records do exist, you can look them up in your own database to see if they are a re-offender. And if you really need to, then you can do a RATE-LIMITED lookup of contact info. One type of query is justifiably rate limited to prevent DB scraping by spammers et al. The other type is not, however it does not currently exist because the RIR whois directory was not created for network operations support nor is it designed to do this job. You can hack together all kinds of mashups that sort of work if you squint the right way, but the bottom-line is that whois does not do the job that many network operators think it does or would like it to do. Because This Is Not My Problem. If by chance someone benign has chosen to locate their operation in known-hostile, known-negligently-operated network space, then their failure to perform due diligence may have consequences for them. It would be interesting if you, and other like-minded hard-nosed network admins would get together and write a requirements document for a whois type directory lookup that would actually support you in what you are trying to do while minimizing collateral damage. The only caveat is that it must be legal to implement in the USA, i.e. you will never get GPS coordinates and a photo of the registrant in such a system. In my opinion, the purpose and scope of such a directory is to provide contact info for people who are ready, willing and able to communicate regarding network operations and interconnect issues and who are able to act on that communication. All contact info should be verified with the contactee who must EXPLICITLY agree to have the info published. All contact info will be verified periodically (maybe every 4 months?) by out-of band means, i.e. the directory operator will keep track of individual email addresses and phone numbers for role account managers. If such a directory did exist, then it would be smaller than whois. You would get many more failures on a quick query which is a good thing. It means that the network operator did not make it a contractual requirement for their customer to maintain an up-to-date network contact. In that case, the network operator is not just morally responsible for abuse, they are contractually responsible. Or maybe you could come up with something better? 1. Gratuitously labeling carefully-considered measures as random is not a route to productive conversation. Agreed. I think a lot of the problem stems from assumptions. People make a lot of assumptions on what whois does based on the net folklore that was handed down to them when they joined the Internet. Few people seem to question such folklore and few people notice that not everybody shares the same understanding. However, it is a lot easier for people to notice that your carefully-considered measures look like a lot like a crude weapon that causes lots of collateral damage. They feel that you could do better and attack you rather than attacking their own assumptions which are the real root of the problem. If you had better data to work with, then your carefully-considered measures would evolve to appear highly sophisticated wisdom, and would also cause little collateral damage. --Michael Dillon
Re: Abuse procedures... Reality Checks
On Tue, Apr 10, 2007 at 03:11:31PM +0100, [EMAIL PROTECTED] wrote: ... Yes there are. The current whois returns way more information on a query than you need for network operations. That's because the current whois was designed back in the 1970's so that ARPANET network managers could identify all the users of the network in order to help them make the business case for their budget requests to cover the cost of high-speed 56k frame relay links. Mike, that's twice in two days that you've made that assertion. I don't remember any financial administrator in those days that would have accepted WHOIS output as justification for anything. I do remember, however, that those high-speed 9600 baud and 56Kb links were point-to- point and went down a lot. And so what I remember the WHOIS entries being used for was: ... In my opinion, the purpose and scope of such a directory is to provide contact info for people who are ready, willing and able to communicate regarding network operations and interconnect issues and who are able to act on that communication. All contact info should be verified with the contactee who must EXPLICITLY agree to have the info published. All contact info will be verified periodically (maybe every 4 months?) by out-of band means, i.e. the directory operator will keep track of individual email addresses and phone numbers for role account managers. ... so that we could contact the person at the other end who was responsible for and knowledgable of their side of the network connection, to fix it. At o-dark-thirty, if necessary. Unfortunately, the way WHOIS is maintained these days, this can no longer be trusted. Note: at the time, I was a bit younger and did not often encounter financial managers, so it's possible some might have accepted WHOIS output. But most people thought computers were some weird thing out THERE [point in random direction], and would sooner have accepted a hand-written note than one printed on a TTY33 or chain printer. -- Joe Yao Analex Contractor
Re: Abuse procedures... Reality Checks
On Tue, Apr 10, 2007 at 10:30:32AM +0100, [EMAIL PROTECTED] wrote: ... I also find it curious that you claim to have people on staff at your company who know what SWIP means. Perhaps you could ask them to share that information with us since I have never seen this documented anywhere. Do they really know what you claim they know? ... http://www.swip.com/: Scottish Widows Investment Partnership http://www.uh.edu/~cfreelan/SWIP/: Society for Women in Philosophy http://www.sat-tel.com/Swip.html: Shared WHOIS Project http://www.swip.net/: The Swedish IP Network Note that there are far more entries for chapters of SWIP #2 than for any others. But one may assume that you refer to SWIP #3. Definitions on the Web found by Google do vary slightly. The referenced InterNIC policy appears to no longer be available on the InterNIC Web site. However, http://www.arin.net/registration/guidelines/report_reassign.html will do. There seem to have been more proposals on how to produce a better WHOIS then one can assume in a reasonable amount of time. ;-] -- Joe Yao Analex Contractor
Re: Abuse procedures... Reality Checks
[EMAIL PROTECTED] wrote: I also find it curious that you claim to have people on staff at your company who know what SWIP means. Perhaps you could ask them to share that information with us since I have never seen this documented anywhere. Do they really know what you claim they know? --Michael Dillon Google is your friend. http://www.arin.net/registration/guidelines/report_reassign.html Shared WHOIS Project (SWIP) SWIP is a process used by organizations to submit information about downstream customer's address space reassignments to ARIN for inclusion in the WHOIS database. Its goal is to ensure the effective and efficient maintenance of records for IP address space. SWIP is intended to: * Provide information to identify the organizations utilizing each subdelegated IP address block. * Provide registration information for each IP address block. * Track utilization of allocated IP address blocks to determine if additional allocations may be justified. For IPv4, organizations can use the Reassign-Simple, Reassign-Detailed, Reallocate, and Network-Modification templates to report SWIP information. Organizations reporting IPv6 reassignment information can use the IPv6 Reassign, IPv6 Reallocate, and IPv6 Modify templates. Organizations may only submit reassignment data for records within their allocated blocks. ARIN reserves the right to make changes to these records upon the organization's approval. Up to 10 templates may be submitted as part of a single e-mail. SWIPs are required for reallocations of /29 and larger if the allocation owner does not operate a RWhoIs server. Of course, SWIP is a ARIN thing, and you work for BRITISH TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of the requirements for SWIP, because ARIN rules make it clear that, as a netblock owner of an ARIN allocation, I'm required to do it. Which numbering authority do you work with day to day?
Re: Abuse procedures... Reality Checks
Pete Templin wrote: John R Levine wrote: I don't have PI space, but I do have a competent ISP so I've never had any mail problems due to adjacent addresses. Having a competent ISP isn't a guarantee of exemption...only a contributor. As evidenced by the discussion, some people choose the scope of their wrath arbitrarily. pt Frank Bulk wrote: Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism. Vigilatism would be me causing offender's router to flap out of existence. Matthew Black wrote: Um, with that reasoning, why not just block the whole /0 and be done with it? Why should filtering on this level have to be done. Why not prevent one's own users from sending out bad traffic. I can see why large provider would have an issue with this, but how about using IDS' on the way out as well. This way not one machine on your network can harm another machine on your own for starters, and someone elses. Sound too Zen. Why not get yourself some sort of IDS/IPS system or fully firewall your hosts. What happens when this isn't an option. What do you do when managing networks on budgets that didn't call for extra equipment. Should I let a network of mine get compromised for the sake of not having enough in the budget, or should I explain to the client after the compromise, well you really didn't give me enough money. That will sure teach him a thing or two about technology they 1) don't care about 2) won't understand no matter how much its explained. Maybe I can repeat this to myself while I file unemployment papers. If you have a spam problem, get an e-mail security appliance which uses reputation filtering to reject connections? And for those clients whose budgets constraints prevented this? Should I a) allow them to receive thousands of Viagra messages b) allow their logfiles to fill with thousands of entries and false positives on SSH attacks c) allow viruses and worms to make my job more difficult. I never stated my solution was a best practice. I stated what I've been doing and strangely its been effective for me. Yes I do have to answer to clients on why THEIR clients, friends, etc have their providers blocked, and after it is explained to them along with logfiles to support my blocks, my clients are right behind me in blocking ranges. To me it isn't the automated blocking isn't that hard to do, that's what shell scripting is for and I have no problems blocking huge blocks (/8's) if need be. As I stated, if I can take the time to make sure nothing malicious is leaving my networks - which altogether is now comprised of about a /16 if I added all ranges up - then why can't some of these other networks do the same. Especially the ones who can actually afford to go out and drop a couple of thousand, even hundreds of thousands on so called security products. If I can do it via ACL's, Linux boxes, syslog, etc., without incurring more costs to my clients, surely some of you bigger cats can do the same. I look at is a bad policy, laziness, and lack of a clue or two. And I sincerely mean this in the utmost non-disrespectful logical - call it how I see it manner. No reason to have filth leaving your network. If it does its because of bureaucratic BS (policies), lack of how to administrate a network correctly or laziness. Maybe my next step will be to post some of the emails from admins who were contacted and responded with the same old Oh our abuse desk is right now it. Or some other generic crap, all the while my net is getting hit up. Or to re-state the strangeness coming from a response from a CISSP in NASA: We were doing test on our network which is why your machine was getting bruteforced... Oh really? On a side note, kudos to those who do take the time to respond, and to those who actually take a minute or two to digest it all in after I've rambled on for too long... Next thread anyone ;) -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams * J. Oquendo [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Abuse procedures... Reality Checks
I don't have PI space, but I do have a competent ISP so I've never had any mail problems due to adjacent addresses. Having a competent ISP isn't a guarantee of exemption...only a contributor. As evidenced by the discussion, some people choose the scope of their wrath arbitrarily. Nothing is a guarantee of exemption from a sufficiently perverse or hostile email administrator, but being in the middle of a well managed /20 works pretty well for me. R's, John
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 9, 2007, at 1:49 PM, John L wrote: I don't have PI space, but I do have a competent ISP so I've never had any mail problems due to adjacent addresses. Having a competent ISP isn't a guarantee of exemption...only a contributor. As evidenced by the discussion, some people choose the scope of their wrath arbitrarily. Nothing is a guarantee of exemption from a sufficiently perverse or hostile email administrator, but being in the middle of a well managed /20 works pretty well for me. Well, well managed to me would mean that allocations from that /20 were SWIPed or a rwhois server was running so that if any of those 4,000 IP addresses does something bad you don't get caught in the middle. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGo9KElUlCLUT2d0RArewAKCRHTeEN9tMOvvfH6/cql6ua81qAwCg2eqd jVGT9wUPV2hRItrA3+tp5n0= =M3YG -END PGP SIGNATURE-
RE: Abuse procedures... Reality Checks
I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. How do you tell when they have actually done due diligence. Existence of a SWIP record is essentially meaningless in this day and age. Many people do them automatically and there may well be nobody left on staff who knows that this is happening or what it all means. --Michael Dillon
RE: Abuse procedures... Reality Checks
The managed services they currently offer don't include egress filtering (L3 to L7) on their business customer's networks. From the discussion here it sounds like that naked pipes, even if properly SWIPed, ought not to be sold, but that all traffic should be checked on the way out. It sounds like a good idea, but I'm guessing few network operators do that for their customer networks, whether that's due to lack of centralization or cost. Frank -Original Message- From: Frank Bulk Sent: Monday, April 09, 2007 3:49 PM To: 'nanog@merit.edu' Subject: RE: Abuse procedures... Reality Checks If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? How can you tell that they don't operate a network from SWIP records? Seems to me that lots of network operators sell managed services to businesses which means that the network operator is the one operating the business customers' networks. Let's face it, the whole SWIP system and whois directory concept was poorly implemented way back in the 1980s and it is completely inadequate on an Internet that is thousands of times larger than it was when SWIP and whois were first developed. How many of you were aware that whois was originally intended to record all users of the ARPAnet from each site so that networking departments could justify the funds they were spending on high-speed 56k frame relay links? --Michael Dillon
RE: Abuse procedures... Reality Checks
On Mon, 9 Apr 2007 [EMAIL PROTECTED] wrote: If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? How can you tell that they don't operate a network from SWIP records? Seems to me that lots of network operators sell managed services to businesses which means that the network operator is the one operating the business customers' networks. OPERATING PARTS of the business customers' networks ... 'managed services' means lots of things, anything from: I'll manage your firewall to I'll manage that CPE router to I'll have feet on the street picking up crumbs in the hallways of your office buildings 24/7/365... Assuming ... welp, that's dangerous :) So, what this is all getting back to (the whole 'abuse procedures' and 'dropping traffic because you dislike someone/some-ip/somecountry) is that essentially each site has the twin responsibilities to: 1) clean up their part of the network 2) decide who they want to accept traffic from The #1 above is only going to save you a minor amount of money (if any) and is going to assure that in the longer term your traffic might have a lower chance of being dropped by someone more draconian than you (say PaulV for instance). The #2 above is purely your own decision process, it may be driven by some business decisions/drivers (less money on email servers, less money on links, less firewall costs, customers that really do interact with insert-bad-country-here). You have to, as a network operator, decide how you want to deal with all of this. Taking any one person's opinion and using only that is surely going to lead to some bad decisions for your network.
RE: Abuse procedures... Reality Checks
That's been my entire point. Network operators who properly SWIP don't get credit for going through the legwork by other networks that apply quasi-arbitrary bit masks to their blocks. As I said before, if you're going to block a /24, why not do it right and block *all* the IPs in their ASN? My DSL and cable modem subscribers are spread across a dozen non-contiguous /24s. If the bothered network is upset with one of my cable modem subs and blocks just one /24 they will open themselves up when that CPE obtains a new IP in a different /24. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Templin Sent: Monday, April 09, 2007 3:42 PM To: Chris Owen Cc: nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks Chris Owen wrote: Well, well managed to me would mean that allocations from that /20 were SWIPed or a rwhois server was running so that if any of those 4,000 IP addresses does something bad you don't get caught in the middle. Due diligence with SWIP/rwhois only means that one customer is well documented apart from another. As this thread has highlighted, some people filter/block based on random variables: the covering /24, the covering aggregate announcement, and/or arbitrary bit lengths. If a particular server is within the scope of what someone decides to filter/block, it gets filtered or blocked. Good SWIPs/rwhois entries don't mean jack to those admins. pt
RE: Abuse procedures... Reality Checks
I have to disagree. SWIP is not meaningless. In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means. And I talk with plenty of other companies that fall into the same boat. In short I find this one comment below to be argumentive and full of conjecture. Regards Marla Azinger Frontier Communications -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, April 09, 2007 1:39 PM To: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. How do you tell when they have actually done due diligence. Existence of a SWIP record is essentially meaningless in this day and age. Many people do them automatically and there may well be nobody left on staff who knows that this is happening or what it all means. --Michael Dillon
Re: Abuse procedures... Reality Checks
On Mon, 09 Apr 2007 17:11:28 EDT, Azinger, Marla said: In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means. Just because *your* site has enough clue to get it right doesn't mean that the *average* site has enough clue to get it right. In fact, I'll go out on a limb and posit that *in the cases I care about*, it's even *less* likely that the SWIP is correct, because the same general attitude of cluelessness that made them unable to police their users and enforce their AUP (resulting in malicious packets arriving at my network) will also tend to mean they didn't get the SWIP right. So to sum up: The sites that *do* SWIP right are more likely to deal with their user before I hear about it, causing me to *check* the whois. Meanwhile, the sites that cluelessly allow malicious traffic also often don't SWIP right - and that results in me contemplating the smallest range I *do* see in the whois data. They didn't SWIP it so I could find the offending /26, that's tough noogies for the rest of their /18. Now where did I leave my Nomex jumpsuit? :) pgpQ38nxCUEoO.pgp Description: PGP signature
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 9, 2007, at 3:41 PM, Pete Templin wrote: Chris Owen wrote: Well, well managed to me would mean that allocations from that / 20 were SWIPed or a rwhois server was running so that if any of those 4,000 IP addresses does something bad you don't get caught in the middle. Due diligence with SWIP/rwhois only means that one customer is well documented apart from another. As this thread has highlighted, some people filter/block based on random variables: the covering / 24, the covering aggregate announcement, and/or arbitrary bit lengths. If a particular server is within the scope of what someone decides to filter/block, it gets filtered or blocked. Good SWIPs/rwhois entries don't mean jack to those admins. Well it means something to me. I'm not one for widely cast blacklists but for something like a series of IP addresses all spewing spam from I will often put temporary /24 filters in place if I'm unable to determine exactly where the actual block boundaries are. If the addresses are SWIPed/rwhois then that is much easier and there is no need for such a wide net. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGrCbElUlCLUT2d0RAtbYAJ9T4nFgTeFyUJ2q2uMGPjQYizk4CwCg1Vx4 b+HHAd8UgvH9sNvFHGHo+fY= =WhjM - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGrIOElUlCLUT2d0RAjEPAKDCcQyFlkC/6DC8jdIbsKFIC1bO5ACgyUk6 GOHudBwokEt56tglHnrpYV8= =00rY -END PGP SIGNATURE-
Re: Abuse procedures... Reality Checks
On Apr 8, 2007, at 9:03 PM, Paul Vixie wrote: [EMAIL PROTECTED] (Douglas Otis) writes: Good advise. For various reasons, a majority of IP addresses within a CIDR of any size being abusive is likely to cause the CIDR to be blocked. While a majority could be considered as being half right, the existence of the bad neighborhood demonstrates a lack of oversight for the entire CIDR, which is also fairly predictive of future abuse. that sounds like a continuum, but my experience requires more dimensions than you're describing. for example, this weekend two / 24's were hijacked and used for spam spew. Agreed. This was expressed recently as well. http://www.merit.edu/mail.archives/nanog/msg05351.html CIDRs should also conform with ASN boundaries and reputation tracks with announcements. Unfortunately an effort to create a black-hole operator's BCP failed to consider these issues. Many building their own reputation histories will also likely ignore this concern. This means John's advice remains valid, whether fair or not. Adopting transient tracking methods cope with this problem. -Doug
Re: Abuse procedures... Reality Checks
On Mon, 9 Apr 2007, Paul Vixie wrote: than you're describing. for example, this weekend two /24's were hijacked and used for spam spew. as my receivebot started blackholing /32's, the Why do you think they were hijacked ? At least for your second block: 1 71.6.213.103 I've had that /24 blocked since 4/4/07. I have spam attempts for that domain going back to Feb 13 2007, but it didn't have reverse DNS set up until 4/4 so nothing got through. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/
Re: Abuse procedures... Reality Checks
Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. you should only spend resources on activities which will benefit you, of course. research into a /N to find out which /(MN)'s are good and which are evil can pay back in a lower false-positive rate, which will matter to some blockers more than others. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. as several others have pointed out, detailed records are often unavailable and are sometimes wrong. my theory is that folks don't want to put abuse contact info into WHOIS that will just cause them to be reportbombed with low quality automated trash having no particular format, lacking useful detail, and often complaining to the wrong place. (for example, as one of the WHOIS contacts for AS112, i am reportbombed frequently by folks whose reportbot's best guess at who-spammed-them is an RFC 1918 address.) It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. perhaps appropos of this, http://www.arin.net/announcements/article_352.html says that there's a movement afoot to remove one of the WHOIS query limits at ARIN. if someone here thinks that a TOS change that permitted automated lookups for the purpose of abuse reporting would be good, then in the ARIN region, http://www.arin.net/policy/irpep.html says how you can suggest such. -- Paul Vixie
Re: Abuse procedures... Reality Checks
On Apr 7, 2007, at 11:27 PM, John Levine wrote: [...] I can assure you from experience that any sort of automated RIR WHOIS lookups will quickly trip volume checks and get you blocked, Does this happen when you only query for the network information and not the full contact information? Regards, -- Leo Vegoda IANA Numbers Liaison
RE: Abuse procedures... Reality Checks
Bingo. Read the note below again, it is the path to enlightenment, Shein's law of resources: Needs, no matter how dire or just, do not alone create the resources necessary to fulfill. On April 7, 2007 at 20:41 [EMAIL PROTECTED] (Robert Bonomi) wrote: From: Frank Bulk [EMAIL PROTECTED] Subject: RE: Abuse procedures... Reality Checks Date: Sat, 7 Apr 2007 16:20:59 -0500 If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers, Why should _I_ absorb the costs that _they_ are unwilling to internalize? If they want to sell 'cheap' service, but not 'doing what is necessary', I see no reason to 'facilitate' their cut-rate operations. Those who buy service from such a provider, 'based on cost', *deserve* what they get, when their service doesn't work as well as that provided by the full-price competition. _YOUR_ connectivity is only as good as the 'reputation' of whomever it is that you buy connectivity from. You might want to consider _why_ the provider *keeps* that 'offensive' customer. There would seem to be only a few possible explanations: (1) they are 'asleep at the switch', (2) that customer pays enough that they can 'afford' to have multiple other customers who are 'dis-satisfied', or who may even leave that provider, (3) they aren't willing to 'spend the money' to run a clean operation. (_None_ of those seems like a good reason for _me_ to spend extra money 'on behalf of' _their_ clients.)
Re: Abuse procedures... Reality Checks
[EMAIL PROTECTED] (Douglas Otis) writes: Good advise. For various reasons, a majority of IP addresses within a CIDR of any size being abusive is likely to cause the CIDR to be blocked. While a majority could be considered as being half right, the existence of the bad neighborhood demonstrates a lack of oversight for the entire CIDR, which is also fairly predictive of future abuse. that sounds like a continuum, but my experience requires more dimensions than you're describing. for example, this weekend two /24's were hijacked and used for spam spew. as my receivebot started blackholing /32's, the sender started cycling to other addresses in the block. each address was used continuously until it stopped working, then the next address came in. while there were two /24's and two self-similar spam flows, there was not a strict mapping of spam flow to packet flow -- both /24's emitted both kinds of spam. uniq -c results are below. i've nominated both blocks to the MAPS RBL, and i can't tell from whois whether it's worthwhile to complain to the ISP's. would you say that i've learned anything of predictive value concerning future spam from the containing /17 (CARI) or /15 (THEPLANET)? or is this just another run of the mill BGP hijack due to some other ISP's router having enable passwords still set to the factory default? (we all owe randy bush a debt of gratitude for pushing on RPKI, by the way. anybody can complain about the weather but very few people do something about it.) 7 67.18.239.66 2 67.18.239.67 1 67.18.239.68 1 67.18.239.69 2 67.18.239.70 5 67.18.239.71 1 67.18.239.82 1 67.18.239.83 2 67.18.239.85 2 67.18.239.87 1 67.18.239.88 3 67.18.239.89 2 67.18.239.91 2 67.18.239.92 3 67.18.239.93 4 67.18.239.94 1 71.6.213.103 1 71.6.213.105 1 71.6.213.108 4 71.6.213.159 1 71.6.213.16 5 71.6.213.160 1 71.6.213.161 7 71.6.213.162 8 71.6.213.163 6 71.6.213.166 1 71.6.213.168 6 71.6.213.170 6 71.6.213.171 2 71.6.213.172 6 71.6.213.176 5 71.6.213.179 6 71.6.213.180 2 71.6.213.181 3 71.6.213.182 3 71.6.213.19 3 71.6.213.190 1 71.6.213.191 1 71.6.213.193 1 71.6.213.202 2 71.6.213.23 5 71.6.213.26 3 71.6.213.32 5 71.6.213.65 4 71.6.213.75 6 71.6.213.8 1 71.6.213.80 1 71.6.213.87 1 71.6.213.94 1 71.6.213.96 -- Paul Vixie
Abuse procedures... Reality Checks
On Sat, 07 Apr 2007, Frank Bulk wrote: While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block. Frank realitycheck You're complaining of blocked /24's. I block off up to /6's from reaching certain ports on my networks. Sound crazy? How many times should I contact the netblock owner and here the same generic well you have to open up a complaint with our abuse desk... golly gee Joseph. Only to have the same repeat attacks over and over and over. Sure, I'll start out blocking the offensive address, then shoot off an email here and there, even post to this or another list or search Jared's list for a contact and ask them politely Hey... I see X amount of attackers hitting me from your net But how long should I go on for before I could just say to hell with your users and network... They just won't connect. It's my own right to when it comes to my network. People complain? Sure, then I explain why, point out the fact that I HAVE made attempts at resolutions to no avail. So should the entire network be punished... No, but the engineers who now have to answer THEIR clients on why they've been blacklisted surely are punished aren't they. Now they have to hear X amount of clients moan about not being able to send either a client, vendor or relative email. They have to either find an alternative method to connect, or complain to their provider about connectivity issues. Is it fair? Yes it's fair to me, my clients, networks, etc., that I protect it. Is it fair to complain to deaf ears when those deaf ears are the ones actually clueful enough to fix? On a daily basis I have clients who should be calling customer service for issues contact me directly. Know what I do? ... My best to fix it, enter a ticket number on the issue and go about the day. One way or the other I'm going to see the ticket/problem so will it kill me to take a moment or two to fix something? Sure I will bitch moan and yell about it, a minute later AFTER THE FIX since things of this nature usually don't take that much time, guess what? Life returns to normal. http://www.infiltrated.net/bforcers/5thWeek-Organizations Have a look will you? These are constant offending networks with hosts that are repeatedly ssh'ing into servers I maintain. Is it unfair to block off their entire netblock from connecting via ssh to my servers. Hell no it isn't. If I have clients on this netblock, in all honesty tough. Let them contact their providers after I tell them their provider has been blocked because of the garbage on their network. Let their provider do something before I do because heaven knows how many times have I tried reaching someone diplomatically before I went ahead and blocked their entire /6 /7 /8 /9 /10 and so on from connecting to me via ssh or whatever other service they've intruded or attempted to intrude upon. Blocks? They usually last for 2 weeks then I take them off and start ALL over again. Of course I've automated this so its no sweat off shoulders. So you tell me in all honesty why someone should not escalate and block off entire blocks. /realitycheck -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
RE: Abuse procedures... Reality Checks
Joe: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? Here's the /24 in question: Combined Systems Technologies NET-CST (NET-207-177-31-0-1) 207.177.31.0 - 207.177.31.7 Elkader Public Library NET-ELKRLIB (NET-207-177-31-8-1) 207.177.31.8 - 207.177.31.15 Plastech Grinnell Plant NET-PLASTECH (NET-207-177-31-16-1) 207.177.31.16 - 207.177.31.31 (dial-up, according to DNS) Griswold Telephone Co. NET-GRIS (NET-207-177-31-32-1) 207.177.31.32 - 207.177.31.63 Griswold Telephone Co. NET-GRIS2 (NET-207-177-31-64-1) 207.177.31.64 - 207.177.31.95 (dial-up, according to DNS) Jesco Electrical Supplies NET-JESCOELEC (NET-207-177-31-96-1) 207.177.31.96 - 207.177.31.103 American Equity Investment NET-AMREQUITY (NET-207-177-31-104-1) 207.177.31.104 - 207.177.31.111 ** open ** Butler County REC NET-BUTLERREC (NET-207-177-31-120-1) 207.177.31.120 - 207.177.31.127 Northeast Missouri Rural Telephone Co. NET-NEMR2 (NET-207-177-31-128-1) 207.177.31.128 - 207.177.31.191 Montezuma Mutual Telephone NET-MONTEZUMA (NET-207-177-31-192-1) 207.177.31.192 - 207.177.31.254 (dial-up, according to DNS) Block the /24 and you cause problems for potentially 8 other companies. Now the RBL maintainer, or in this case, GoDaddy, has to interact with 8 other companies -- what a lot of work and overhead! If they just dealt with the problem in a more surgical manger they wouldn't have to deal with the other companies asking for relief. Frank -Original Message- From: J. Oquendo [mailto:[EMAIL PROTECTED] Sent: Saturday, April 07, 2007 2:08 PM To: nanog@merit.edu Cc: Frank Bulk Subject: Abuse procedures... Reality Checks On Sat, 07 Apr 2007, Frank Bulk wrote: While you have your friend's ear, ask him why they maintain a spam policy of blocking complete /24's when: a) the space has been divided into multiple sub-blocks and assigned to different companies, all well-documented and queryable in ARIN b) there have been repeated pleas to whitelist a certain IP in separate sub-block that is only being punished for the behavior of others in a different sub-block. Frank realitycheck You're complaining of blocked /24's. I block off up to /6's from reaching certain ports on my networks. Sound crazy? How many times should I contact the netblock owner and here the same generic well you have to open up a complaint with our abuse desk... golly gee Joseph. Only to have the same repeat attacks over and over and over. Sure, I'll start out blocking the offensive address, then shoot off an email here and there, even post to this or another list or search Jared's list for a contact and ask them politely Hey... I see X amount of attackers hitting me from your net But how long should I go on for before I could just say to hell with your users and network... They just won't connect. It's my own right to when it comes to my network. People complain? Sure, then I explain why, point out the fact that I HAVE made attempts at resolutions to no avail. So should the entire network be punished... No, but the engineers who now have to answer THEIR clients on why they've been blacklisted surely are punished aren't they. Now they have to hear X amount of clients moan about not being able to send either a client, vendor or relative email. They have to either find an alternative method to connect, or complain to their provider about connectivity issues. Is it fair? Yes it's fair to me, my clients, networks, etc., that I protect it. Is it fair to complain to deaf ears when those deaf ears are the ones actually clueful enough to fix? On a daily basis I have clients who should be calling customer service for issues contact me directly. Know what I do? ... My best to fix it, enter a ticket number on the issue and go about the day. One way or the other I'm going to see the ticket/problem so will it kill me to take a moment or two to fix something? Sure I will bitch moan and yell about it, a minute later AFTER THE FIX since things of this nature usually don't take that much time, guess what? Life returns to normal. http://www.infiltrated.net/bforcers/5thWeek-Organizations Have a look will you? These are constant offending networks with hosts that are repeatedly ssh'ing into servers I maintain. Is it unfair to block off their entire netblock from connecting via ssh to my servers. Hell no it isn't. If I have clients on this netblock, in all honesty tough. Let them contact their providers after I tell them their provider has been blocked because of the garbage on their network. Let their provider do something before I do because heaven knows how many times have I tried reaching someone diplomatically before I went ahead and blocked their entire /6 /7 /8 /9 /10 and so on from
Re: Abuse procedures... Reality Checks
On Sat, 07 Apr 2007, Frank Bulk wrote: Joe: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? Far too many times I've tried to contact those who have the DIRECT ability to make things happen and the same constant whiny Contact our abuse desk reponse was given. What mainly happens here on out is the following, if someone on that subnet needs to do something on mine, many will contact me or others that work with me and state Why can't we connect?! The situation will be explained and they'll be told to contact their provider. This seems to be the only logical method I've personally found for some of the bigger provider to respond to incidents. Hit them where it hurts, let them have their own customers bitch and moan about their inability to get things done. Sure its not fair to single out an entire subnet. I've gone as far as blocking LACNIC, APNIC, RIPE, /8's on ARIN at a clip for days on end until someone from the offending provider contacted me. Then and only then was I able to get something done. So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows... If someone on one of my networks is offending someone else, I'm nipping it in the bud to avoid the possibility of any legal repercussions. And although it may seem far fetched to look at things in such fashion, I'd rather be safe than sorry. I'd also like to be accountable since after all when it boils down to it, it is my job as a network engineer, security engineer to ensure nothing malicious comes into my network as well as exits my network. Its a two way street. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 How a man plays the game shows something of his character - how he loses shows all - Mr. Luckey
Re: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise. We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?) 2. necessary is a relative term. Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overty hostile networks. That requires pro-active measures and it requires ones that have been proven to be effective. If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it. So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now. If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence. ---Rsk
Re: Abuse procedures... Reality Checks
J. Oquendo wrote: ... So to answer your question about fairness... It's not fair by any means, but it is effective. I see it as follows... Well, that's the reason why I have a gmail account and all my customers have. I can send even from my dynamic ip-address and still they let me in. They can send to my dynamic ip-address. Important mails are sent host to host. For the records are sent via gmail. There is no need for any other mail provider. They are blocking mails most of the time only allowing spam to get through. Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
RE: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote: I understand your frustration and appreciate your efforts to contact the sources of abuse, but why indiscriminately block a larger range of IPs than what is necessary? 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. Define network operator: the AS holder for that space or the operator of that smaller-than-slash-24 sub-block? If the problem consistently comes from /29 why not just leave the block in and be done with it? I guess this begs the question: Is it best to block with a /32, /24, or some other range? Sounds a lot like throwing something against the wall and seeing what sticks. Or vigilantism. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) Agreed. Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. It is entirely X's responsibility to make sure that its _entire_ network can be permitted the privilege of access to ours. And (while I don't wish to speak for anyone else), I think we're prepared to live with a certain amount of low-level, transient, isolated noise. Noise like that is inevitable part of the job. We are not prepared to live with persistent, systemic attacks that are not dealt with even *after* complaints are filed. (Which shouldn't be necessary anyway: if we can see inbound hostile traffic to our networks, surely X can see it outbound from theirs. Unless X is too stupid, cheap or lazy to look. Packets do not just fall out of the sky, y'know?) Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. 2. necessary is a relative term. Example: I observed spam/spam attempts from 3,599 hosts on pldt's network during January alone. I've blocked everything they have, because I find it *necessary* to not wait for the other N hosts on their network to pull the same stunt. I've found it *necessary* to take many other similar measures as well because my time, money and resources are limited quantities, so I must expend them frugally while still protecting the operation from overtly hostile networks. That's my point: you want to spend time dealing with the other 8 networks because you blacked them, out, too? That requires pro-active measures and it requires ones that have been proven to be effective. If X, for some value of X, is unhappy about this, then X should have thought of that before permitting large amounts of abuse to escape its operation over an extended period of time. Had X done its job to a baseline level of professionalism, then this issue would not have arisen, and we'd all be better off for it. Agreed, but economics usually dictate otherwise. So. If you (generic you) can't keep your network from being a persistent and systemic abuse source, then unplug it. Now. They want to run a business, too. So when you blacklist they will end up calling you asking for mercy, telling you that it's been cleaned up. Inevitably something/someone gets infected, you black them out, rinse, repeat. If on other hand, you decide to stick around anyway while letting the crap flow: no whining when other people find it necessary to take steps to defend themselves from your incompetence. ---Rsk
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 7, 2007, at 4:20 PM, Frank Bulk wrote: Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. Well it sounds like the original poster is trying to punish the network operator by intentionally blocking innocent bystanders and therefore causing them grief so if that is your goal then a /24 seems like a decent arbitrary size. You are mostly sure you won't block across providers that way at least. However, even if this isn't your goal it can be really hard sometimes to have any clue how big a netblock is for a particular IP address. ARIN may make small folks like us jump through hoops but apparently this isn't true for larger providers. We often run into abuse from IP addresses (or a range of addresses) where there is no rwhois sever and the entire /19 or larger is SWIPed as a single netblock. I've seen some really, really large blocks with absolutely no sub- delegation when clearly the addresses are sub-delegated. We will often temporary block a /24 on email blacklists for instance. When you're getting pounded from a range of 30 or 50 IP addresses and can't get any response from the upstream then it is farily obvious they are less than white hat so we're willing to live with the collateral damage. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGA6nElUlCLUT2d0RAkWzAJ4mjXT5gwB0psG7e/YhmzUcFXhksgCgyx2g 5VDgB0KMLyMFIdVzrPaPGJI= =E5xl -END PGP SIGNATURE-
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGBIlq1pz9mNUZTMRAkLuAJ4sjBnZ1IF4FBjFvMn4NlgK7lZysgCg3gT2 8e9PswhChgNhDHnCsY+Yf9M= =oJaW -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Abuse procedures... Reality Checks
If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson? Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Frank Bulk wrote: If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? All ISPs have AUPs that prohibit spam (or at least I hope all of you do) though are enforced at some places better then at others... But the point is that each and every customer ISP is responsible for following that AUP and is responsible for making sure their customers follow it as well. So to answer you the view is that even if ISP do not operate the network by providing services and ip addresses they in fact basically do operate in on higher level and are partially directly responsible for what happens there including enforcing its AUP on its sub-ISP or business customer (and making sure they enforce same AUP provisions on their customers). Chain of responsibility if you like to think of it that way... And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson? Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Yes, of course blocking of larger ISP block would happen only after trying to notify ISP of the problem for each of every one of those subblocks did not lead to any results. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- william(at)elan.net [EMAIL PROTECTED] wrote: On Sat, 7 Apr 2007, Fergie wrote: I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. Why? When you can block on more specific prefixes? This just doesn't make sense to me. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. Indeed -- your point of view. Which I would argue is unfair and not due diligence. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGBv8q1pz9mNUZTMRAuufAKC+/0DwFmrVA15UZaNib02GgR25MgCdFlu3 45XhfZTvgE+Oaiij4LoLNh0= =MO1u -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
Frank Bulk wrote: [[Attribution deleted by Frank Bulk]] Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Please play the bonus round: try again.
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Stephen Satchell [EMAIL PROTECTED] wrote: It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Exactly why is this hard to do? I would think that it's actually very easy to do when sub-allocations are SWIP'ed. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGCKUq1pz9mNUZTMRAq6gAJ4ve8lc4IBU9nt0C5BEQDOfcPYZUgCgxExW Nio0yTd77qAjI10oOsv2Vh4= =d5Jd -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 7, 2007, at 11:00 PM, Fergie wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. Not that I'm really defending this policy, but sub-allocations are very often not SWIPed. I'd say 75% or more of the time I'm looking a problem IP address it is part of a /19 or larger block with no sub- allocation. For example, I know for a fact that 70.167.38.132 is part of a netblock assigned to a business (I believe it is a /28 or /27). It is routed to them over a DS1 or similar cable equivalent. They run a handful of servers behind including public hosting a half dozen corporate web sites and a mail server. Clearly these addresses have been assigned to this business. Yet: [EMAIL PROTECTED]:~$ whois 70.167.38.132Cox Communications Inc. NETBLK-COX- ATLANTA-10 (NET-70-160-0-0-1) 70.160.0.0 - 70.191.255.255 Cox Communications Inc. NETBLK-WI-OHFC-70-167-32-0 (NET-70-167-32-0-1) 70.167.32.0 - 70.167.63.255 No rwhois server available. And Cox is actually better than some. That's only a /19. I've seen much larger blocks than this. Somehow I doubt if we pulled that with our /20 I doubt we'd have a /19 now. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGCmzElUlCLUT2d0RAo2fAJwPXyy6LldTs7hEwHH+KkJ9fF9EewCfTyIf 0BHI2gDJX/s3FuZlLWkWwiM= =l33X -END PGP SIGNATURE-
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen [EMAIL PROTECTED] wrote: On Apr 7, 2007, at 11:00 PM, Fergie wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. Not that I'm really defending this policy, but sub-allocations are very often not SWIPed. I'd say 75% or more of the time I'm looking a problem IP address it is part of a /19 or larger block with no sub- allocation. Please read what I wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. I cannot, and will not, presuppose that in cases when they are not SWIP'ed that some kind of magic happens. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGCw4q1pz9mNUZTMRAgEDAKCB4eiFluFcXcYlSj4EjleHpxy8PgCg26ei sZW4CKfCOm5H3KOGQsxYd8w= =ZoDl -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 7, 2007, at 11:41 PM, Fergie wrote: Please read what I wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. I cannot, and will not, presuppose that in cases when they are not SWIP'ed that some kind of magic happens. :-) And how do you know the difference? The Cox IP address is SWIPed. Its even sub-allocated. The allocation is just a /19. Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGC0QElUlCLUT2d0RAsmbAJ4i/YNj7vypKJ0Zv/7ajWIGdpwvbgCdECZB v+FoC+s1TRkdkSBZMzEYU94= =6CPl -END PGP SIGNATURE-
RE: Abuse procedures... Reality Checks
Stephen: Are you saying that if there's nefarious IP out there let's automatically blacklist the /24 of that IP? J. Oquendo was describing his own methods and they sounded quite manual, manual enough that he's getting down to a /8 as necessary to blacklist a non-responsive operator. My point is that if you're going to block something, either block the /32 or do the research to justify blocking a larger group. And despite ToS, I think many operators are running automated lookups, and there are lots of examples out there for ARIN. Frank -Original Message- From: Stephen Satchell [mailto:[EMAIL PROTECTED] Sent: Saturday, April 07, 2007 5:44 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Abuse procedures... Reality Checks Frank Bulk wrote: [[Attribution deleted by Frank Bulk]] Neither I nor J. Oquendo nor anyone else are required to spend our time, our money, and our resources figuring out which parts of X's network can be trusted and which can't. It's not that hard, the ARIN records are easy to look up. Figuring out that network operator has a /8 that you want to block based on 3 or 4 IPs in their range requires just as much work. It's *very* hard to do it with an automated system, as such automated look-ups are against the Terms of Service for every single RIR out there. Please play the bonus round: try again.
RE: Abuse procedures... Reality Checks
That sounds like a very reasonable perspective and generally the route I follow both as a operator and as someone who works with others. Frank -Original Message- From: william(at)elan.net [mailto:[EMAIL PROTECTED] Sent: Saturday, April 07, 2007 6:23 PM To: Frank Bulk Cc: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Frank Bulk wrote: If they're properly SWIPed why punish the ISP for networks they don't even operate, that obviously belong to their business customers? All ISPs have AUPs that prohibit spam (or at least I hope all of you do) though are enforced at some places better then at others... But the point is that each and every customer ISP is responsible for following that AUP and is responsible for making sure their customers follow it as well. So to answer you the view is that even if ISP do not operate the network by providing services and ip addresses they in fact basically do operate in on higher level and are partially directly responsible for what happens there including enforcing its AUP on its sub-ISP or business customer (and making sure they enforce same AUP provisions on their customers). Chain of responsibility if you like to think of it that way... And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting themselves? Or is the netop looking to the ISP to push back on their customers to clean up their act? Or is the netop trying to teach the ISP a lesson? Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from a sub-allocated block -- you would hope that ISPs and AS owners would want to have clean customers. Yes, of course blocking of larger ISP block would happen only after trying to notify ISP of the problem for each of every one of those subblocks did not lead to any results. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Saturday, April 07, 2007 5:58 PM To: Fergie Cc: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Abuse procedures... Reality Checks On Sat, 7 Apr 2007, Fergie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Rich Kulawiec [EMAIL PROTECTED] wrote: 1. There's nothing indiscriminate about it. I often block /24's and larger because I'm holding the *network* operators responsible for what comes out of their operation. If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. I don't care why it happens -- they should have thought through all this BEFORE plugging themselves in and planned accordingly. (Never build something you can't control.) I would have to respectfully disagree with you. When network operators do due diligence and SWIP their sub-allocations, they (the sub-allocations) should be authoritative in regards to things like RBLs. $.02, Yes. But the answer is that it also depends how many other cases like this exist from same operator. If they have 16 suballocations in /24 but say 5 of them are spewing, I'd block /24 (or larger) ISP block. The exact % of bad blocks (i.e. when to start blocking ISP) depends on your point of view and history with that ISP but most in fact do held ISPs partially responsible. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Abuse procedures... Reality Checks
From: Frank Bulk [EMAIL PROTECTED] Subject: RE: Abuse procedures... Reality Checks Date: Sat, 7 Apr 2007 16:20:59 -0500 If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers, Why should _I_ absorb the costs that _they_ are unwilling to internalize? If they want to sell 'cheap' service, but not 'doing what is necessary', I see no reason to 'facilitate' their cut-rate operations. Those who buy service from such a provider, 'based on cost', *deserve* what they get, when their service doesn't work as well as that provided by the full-price competition. _YOUR_ connectivity is only as good as the 'reputation' of whomever it is that you buy connectivity from. You might want to consider _why_ the provider *keeps* that 'offensive' customer. There would seem to be only a few possible explanations: (1) they are 'asleep at the switch', (2) that customer pays enough that they can 'afford' to have multiple other customers who are 'dis-satisfied', or who may even leave that provider, (3) they aren't willing to 'spend the money' to run a clean operation. (_None_ of those seems like a good reason for _me_ to spend extra money 'on behalf of' _their_ clients.)
Re: Abuse procedures... Reality Checks
BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? I don't know the answer in your case, but in my case the answer is my employer. More specifically, my employer pays me to block junk and let good traffic* through; that mandate does not include block networks that we have no reason to believe are junk in hopes of inflicting enough collateral damage to force the spammers' upstream to clean up its act. If your customers/employer/whomever understand they may miss data they wanted to receive in order to help you put pressure on lazy/abusive/incompetent ISPs, and they're okay with that, more power to 'em. I think probably more people are in my boat-- I can't afford to launch a crusade, I just have to keep the bits flowing. *On the other hand, in a corporate network good traffic can be more strictly defined; for example I block most of APNIC, half of RIPE, most of LACNIC and all of AFRINIC not because I think they're all spammy but because we get no legitimate business traffic from those regions which makes their signal-to-noise ratio effectively 0:infinite. So if you know a provider will never** send you legit messages, go ahead and block. Otherwise, **My sweeping xenoemailphobia has blocked 4 legit messages (3 of which were personal non-work-related messages) in the past 6 years, and since my reject message gives a workaround to reach me all 4 reached their intended recipient. Compared to the 5-15k messages blocked per day over that span, close enough to never for me-- and more importantly, for my boss. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
RE: Abuse procedures... Reality Checks
Robert: You still haven't answered the question: how wide do you block? You got an IP address that you know is offensive. Is your default policy to blacklist just that one, do the /24, go to ARIN and find out the size of that block and do the whole thing, or identify the AS and block traffic from the dozen if not hundreds of allocations they have? In only the first two cases is no research required, but I would hope that the network who wants to blacklist (i.e. GoDaddy) would do a little bit of (automated) legwork to focus their abuse control. You also have too dim and narrow a view of customer relationships. In my case the upstream ISP is a member-owned cooperative of which the sub-allocated space is either a member or a customer of a member. 1, 2, and 3 don't apply, rather, the coop works with their members to identify the source of the abuse and shut it down. It's not adversarial as you paint it to be. BTW, do you think the member-owned coop should be monitoring the outflow of dozens of member companies and hundreds of sub-allocations they have? And it's not *riddled* with abuse, it's just one abuser, probably a dial-up customer who is unwittingly infected, who while connected for an hour or two sends out junk. GoDaddy takes that and blacklists the whole /24, affecting both large and small businesses alike who are in other sub-allocated blocks in that /24. Ideally, of course, each sub-allocated customer would have their own /24 so that when abuse protection policies kick in and that automatically blacks out a /24 only they are affected, but for address conservation reasons that did not occur. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bonomi Sent: Saturday, April 07, 2007 8:41 PM To: nanog@merit.edu Subject: RE: Abuse procedures... Reality Checks From: Frank Bulk [EMAIL PROTECTED] Subject: RE: Abuse procedures... Reality Checks Date: Sat, 7 Apr 2007 16:20:59 -0500 If they can't hold the outbound abuse down to a minimum, then I guess I'll have to make up for their negligence on my end. Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your (understandable) frustration is preventing you from agreeing with me on this specific case. Because what you usually see is an IP from a /20 or larger and the network operators aren't dealing with it. In the example I gave it's really the smaller /29 that's the culprit, it sounds like you want to punish a larger group, perhaps as large as an AS, for the fault of smaller network. BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. Smaller operators, like those that require just a /29, often don't have that infrastructure. Those costs, as I'm sure you aware, are passed on to companies like yourself that have to maintain their own network's security. Again, block them, I say, just don't swallow others up in the process. If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers, Why should _I_ absorb the costs that _they_ are unwilling to internalize? If they want to sell 'cheap' service, but not 'doing what is necessary', I see no reason to 'facilitate' their cut-rate operations. Those who buy service from such a provider, 'based on cost', *deserve* what they get, when their service doesn't work as well as that provided by the full-price competition. _YOUR_ connectivity is only as good as the 'reputation' of whomever it is that you buy connectivity from. You might want to consider _why_ the provider *keeps* that 'offensive' customer. There would seem to be only a few possible explanations: (1) they are 'asleep at the switch', (2) that customer pays enough that they can 'afford' to have multiple other customers who are 'dis-satisfied', or who may even leave that provider, (3) they aren't willing to 'spend the money' to run a clean operation. (_None_ of those seems like a good reason for _me_ to spend extra money 'on behalf of' _their_ clients.)
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen [EMAIL PROTECTED] wrote: On Apr 7, 2007, at 11:41 PM, Fergie wrote: Please read what I wrote: I would think that it's actually very easy to do when sub-allocations are SWIP'ed. I cannot, and will not, presuppose that in cases when they are not SWIP'ed that some kind of magic happens. :-) And how do you know the difference? The Cox IP address is SWIPed. Its even sub-allocated. The allocation is just a /19. Again, a simple recursive WHOIS will show you sub-allocations if they are properly SWIP'ed. Not a big deal, really. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGFiiq1pz9mNUZTMRArfSAJ9X5CMo0M+Tg0Tf1vN2UWytF3oB8gCg/TEH fP3GwH7aW3J7DeNpH3m/aeY= =VQ9W -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 8, 2007, at 2:51 AM, Fergie wrote: Again, a simple recursive WHOIS will show you sub-allocations if they are properly SWIP'ed. Define properly. The Cox addresses in my example are SWIPed. Are they properly SWIPed? How could you tell from whois? Chris Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun): President ~ Wichita (316) 858-3000 ~A stupidity tax Hubris Communications Inc www.hubris.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGGFnSElUlCLUT2d0RAgfPAJsFe0V9tA67MDWwD3kcrNoVgNZF6wCdHdXT 5R0SMgRJdH176EvlkhIqNZE= =ZYal -END PGP SIGNATURE-
Re: Abuse procedures... Reality Checks
Sure, block that /29, but why block the /24, /20, or even /8? Since nobody will route less than a /24, you can be pretty sure that regardless of the SWIPs, everyone in a /24 is served by the same ISP. I run a tiny network with about 400 mail users, but even so, my semiautomated systems are sending off complaints about a thousand spams a day that land in traps and filters. (That doesn't count about 50,000/day that come from blacklisted sources that I package up and sell to people who use them to tune filters and look for phishes.) I log the sources, when a particular IP has more than 50 complaints in a month I usually block it, if I see a bunch of blocked IP's in a range I usually block the /24. Now and then I get complaints from users about blocked mail, but it's invariably from an individual IP at an ISP or hosting company that has both a legit correspondent and a spam-spewing worm or PHP script. It is quite rare for an expansion to a /24 to block any real mail. My goal is to keep the real users' mail flowing, to block as much spam as cheaply as I can, and to get some sleep. I can assure you from experience that any sort of automated RIR WHOIS lookups will quickly trip volume checks and get you blocked, so I do a certain number manually, typically to figure out how likely there is to be someone reading the spam reports. But on today's Internet, if you want to get your mail delivered, it would be a good idea not to live in a bad neighborhood, and if your ISP puts you in one, you need a better ISP. That's life. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly.
Re: Abuse procedures... Reality Checks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Chris Owen [EMAIL PROTECTED] wrote: On Apr 8, 2007, at 2:51 AM, Fergie wrote: Again, a simple recursive WHOIS will show you sub-allocations if they are properly SWIP'ed. Define properly. The Cox addresses in my example are SWIPed. Are they properly SWIPed? How could you tell from whois? Are is/are the exact prefix(es) in question? - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGGGJtq1pz9mNUZTMRAqEvAKDc2heZ5tTCZPkJXP1BkKiCQbjpwACg5+kA aMVT4/A79/VEZR8rKVv+AcY= =KafZ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007 20:41:19 -0500 (CDT) Robert Bonomi [EMAIL PROTECTED] wrote: BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's network are riddled with problems and 'which parts' are _not_? *WHO* pays me to do the research to find out where the end-user boundaries are? *WHY* should _I_ have to do that work -- If the 'upstream provider' is incapable of keeping _their_own_house_ clean, why should I spend the time trying to figure out which of their customers are 'bad guys' and which are not? A provider *IS* responsible for the 'customers it _keeps_'. And, unfortunately, a customer is 'tarred by the brush' of the reputation of it's provider. Um, with that reasoning, why not just block the whole /0 and be done with it? Seriously, I used to share your frustration and would block large swaths of the Internet for rather minor offenses. I finally realized this practice didn't help. Why not get yourself some sort of intrusion detection/prevention system or fully firewall your hosts. If you have a spam problem, get an e-mail security appliance which uses reputation filtering to reject connections? matthew black california state university, long beach
RE: Abuse procedures... Reality Checks
I guess our upstream provider is a nobody because they have lots of small sub-allocated blocks less than a /24 that they route to different member ISPs. =) What is the point of blocking a /24 on the basis of a /32 if the ISP manages dozens of other /24 or larger blocks? If you're going to do it, block *all* the IPs associated to the 'bad' ISP. Then at least you're consistent, otherwise expanding to a /24 is just a half (or 1%) job or laziness. Frank -Original Message- From: Frank Bulk Sent: Saturday, April 07, 2007 10:45 PM To: [EMAIL PROTECTED] Subject: Re: Abuse procedures... Reality Checks Sure, block that /29, but why block the /24, /20, or even /8? Since nobody will route less than a /24, you can be pretty sure that regardless of the SWIPs, everyone in a /24 is served by the same ISP. I run a tiny network with about 400 mail users, but even so, my semiautomated systems are sending off complaints about a thousand spams a day that land in traps and filters. (That doesn't count about 50,000/day that come from blacklisted sources that I package up and sell to people who use them to tune filters and look for phishes.) I log the sources, when a particular IP has more than 50 complaints in a month I usually block it, if I see a bunch of blocked IP's in a range I usually block the /24. Now and then I get complaints from users about blocked mail, but it's invariably from an individual IP at an ISP or hosting company that has both a legit correspondent and a spam-spewing worm or PHP script. It is quite rare for an expansion to a /24 to block any real mail. My goal is to keep the real users' mail flowing, to block as much spam as cheaply as I can, and to get some sleep. I can assure you from experience that any sort of automated RIR WHOIS lookups will quickly trip volume checks and get you blocked, so I do a certain number manually, typically to figure out how likely there is to be someone reading the spam reports. But on today's Internet, if you want to get your mail delivered, it would be a good idea not to live in a bad neighborhood, and if your ISP puts you in one, you need a better ISP. That's life. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly.
Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Chris Owen wrote: And how do you know the difference? The Cox IP address is SWIPed. Its even sub-allocated. The allocation is just a /19. Exactly, so why not just block whatever the suballocation is? Would mean that companies that properly SWIP their IP-blocks and put in the effort to maintain them, are given an advantage to companies that do not. -- Mikael Abrahamssonemail: [EMAIL PROTECTED]