frnkblk at iname
Apr 7, 2007, 2:20 PM
Post #6 of 83
(5904 views)
Permalink
|
> On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
> > I understand your frustration and appreciate your efforts to contact the
> > sources of abuse, but why indiscriminately block a larger range of IPs
than
> > what is necessary?
>
> 1. There's nothing "indiscriminate" about it.
>
> I often block /24's and larger because I'm holding the
> *network* operators responsible for what comes out of
> their operation.
Define network operator: the AS holder for that space or the operator of
that smaller-than-slash-24 sub-block? If the problem consistently comes
from /29 why not just leave the block in and be done with it?
I guess this begs the question: Is it best to block with a /32, /24, or some
other range? Sounds a lot like throwing something against the wall and
seeing what sticks. Or vigilantism.
> If they can't hold the outbound abuse down to a minimum, then
> I guess I'll have to make up for their negligence on my end.
Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your
(understandable) frustration is preventing you from agreeing with me on this
specific case. Because what you usually see is an IP from a /20 or larger
and the network operators aren't dealing with it. In the example I gave
it's really the smaller /29 that's the culprit, it sounds like you want to
punish a larger group, perhaps as large as an AS, for the fault of smaller
network.
> I don't care why it happens -- they should have thought through
> all this BEFORE plugging themselves in and planned accordingly.
> ("Never build something you can't control.")
Agreed.
>
> Neither I nor J. Oquendo nor anyone else are required to
> spend our time, our money, and our resources figuring out which
> parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up. Figuring out that
network operator has a /8 that you want to block based on 3 or 4 IPs in
their range requires just as much work.
> It is entirely X's responsibility to make sure that its _entire_
> network can be permitted the privilege of access to ours.
> And (while I don't wish to speak for anyone else),
> I think we're prepared to live with a certain amount of low-level,
> transient, isolated noise.
Noise like that is inevitable part of the job.
> We are not prepared to live with persistent, systemic attacks
> that are not dealt with even *after* complaints are
> filed. (Which shouldn't be necessary anyway: if we can see inbound
> hostile traffic to our networks, surely X can see it outbound from
> theirs. Unless X is too stupid, cheap or lazy to look. Packets do
> not just fall out of the sky, y'know?)
Smaller operators, like those that require just a /29, often don't have that
infrastructure. Those costs, as I'm sure you aware, are passed on to
companies like yourself that have to maintain their own network's security.
Again, block them, I say, just don't swallow others up in the process.
> 2. "necessary" is a relative term.
>
> Example: I observed spam/spam attempts from 3,599 hosts on
> pldt's network during January alone. I've blocked
> everything they have, because I find it *necessary*
> to not wait for the other N hosts on their network
> to pull the same stunt. I've found it *necessary* to take
> many other similar measures as well because my time,
> money and resources are limited quantities, so I must
> expend them frugally while still protecting the operation
> from overtly hostile networks.
That's my point: you want to spend time dealing with the other 8 networks
because you blacked them, out, too?
> That requires pro-active measures and it requires ones
> that have been proven to be effective.
>
> If X, for some value of X, is unhappy about this, then X should have
> thought of that before permitting large amounts of abuse to escape
> its operation over an extended period of time. Had X done its job
> to a baseline level of professionalism, then this issue would not
> have arisen, and we'd all be better off for it.
Agreed, but economics usually dictate otherwise.
> So. If you (generic you) can't keep your network from being
> a persistent and systemic abuse source, then unplug it. Now.
They want to run a business, too. So when you blacklist they will end up
calling you asking for mercy, telling you that it's been cleaned up.
Inevitably something/someone gets infected, you black them out, rinse,
repeat.
> If on other hand, you decide to stick around anyway while letting the
> crap flow: no whining when other people find it necessary to
> take steps to defend themselves from your incompetence.
>
> ---Rsk
|
1
