Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

Abuse procedures... Reality Checks

  

 
First page Previous page 1 2 3 4 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


fergdawg at netzero

Apr 7, 2007, 8:33 PM

Post #26 of 83 (4259 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Chris Owen <owenc [at] hubris> wrote:

>On Apr 8, 2007, at 2:51 AM, Fergie wrote:
>
>> Again, a simple recursive WHOIS will show you sub-allocations if they
>> are properly SWIP'ed.
>
>Define "properly". The Cox addresses in my example are SWIPed. Are
they "properly" SWIPed? How could you tell from whois?
>

Are is/are the exact prefix(es) in question?

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.0 (Build 214)

wj8DBQFGGGJtq1pz9mNUZTMRAqEvAKDc2heZ5tTCZPkJXP1BkKiCQbjpwACg5+kA
aMVT4/A79/VEZR8rKVv+AcY=
=KafZ
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/


black at csulb

Apr 7, 2007, 8:55 PM

Post #27 of 83 (4265 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
On Sat, 7 Apr 2007 20:41:19 -0500 (CDT)
Robert Bonomi <bonomi [at] mail> wrote:
> BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a
>provider's
> network are riddled with problems and 'which parts' are _not_? *WHO* pays
> me to do the research to find out where the end-user boundaries are? *WHY*
> should _I_ have to do that work -- If the 'upstream provider' is incapable
>of
> keeping _their_own_house_ clean, why should I spend the time trying to
>figure
> out which of their customers are 'bad guys' and which are not?
>
> A provider *IS* responsible for the 'customers it _keeps_'.
>
> And, unfortunately, a customer is 'tarred by the brush' of the reputation
> of it's provider.


Um, with that reasoning, why not just block the whole /0 and
be done with it?

Seriously, I used to share your frustration and would block large
swaths of the Internet for rather minor offenses. I finally realized
this practice didn't help. Why not get yourself some sort of intrusion
detection/prevention system or fully firewall your hosts. If you have
a spam problem, get an e-mail security appliance which uses reputation
filtering to reject connections?

matthew black
california state university, long beach


frnkblk at iname

Apr 7, 2007, 8:56 PM

Post #28 of 83 (4255 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
I guess our upstream provider is a nobody because they have lots of small
sub-allocated blocks less than a /24 that they route to different member
ISPs. =)

What is the point of blocking a /24 on the basis of a /32 if the ISP manages
dozens of other /24 or larger blocks? If you're going to do it, block *all*
the IPs associated to the 'bad' ISP. Then at least you're consistent,
otherwise expanding to a /24 is just a half (or 1%) job or laziness.

Frank

-----Original Message-----
From: Frank Bulk
Sent: Saturday, April 07, 2007 10:45 PM
To: nanog [at] nanog
Subject: Re: Abuse procedures... Reality Checks


>> Sure, block that /29, but why block the /24, /20, or even /8?

Since nobody will route less than a /24, you can be pretty sure that
regardless of the SWIPs, everyone in a /24 is served by the same ISP.

I run a tiny network with about 400 mail users, but even so, my
semiautomated systems are sending off complaints about a thousand
spams a day that land in traps and filters. (That doesn't count about
50,000/day that come from blacklisted sources that I package up and
sell to people who use them to tune filters and look for phishes.) I
log the sources, when a particular IP has more than 50 complaints in a
month I usually block it, if I see a bunch of blocked IP's in a range
I usually block the /24. Now and then I get complaints from users
about blocked mail, but it's invariably from an individual IP at an
ISP or hosting company that has both a legit correspondent and a
spam-spewing worm or PHP script. It is quite rare for an expansion to
a /24 to block any real mail.

My goal is to keep the real users' mail flowing, to block as much spam
as cheaply as I can, and to get some sleep. I can assure you from
experience that any sort of automated RIR WHOIS lookups will quickly
trip volume checks and get you blocked, so I do a certain number
manually, typically to figure out how likely there is to be someone
reading the spam reports. But on today's Internet, if you want to get
your mail delivered, it would be a good idea not to live in a bad
neighborhood, and if your ISP puts you in one, you need a better ISP.
That's life.

Regards,
John Levine, johnl [at] iecc, Primary Perpetrator of "The Internet for
Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


swmike at swm

Apr 7, 2007, 10:44 PM

Post #29 of 83 (4255 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
On Sat, 7 Apr 2007, Chris Owen wrote:

> And how do you know the difference? The Cox IP address is SWIPed. Its
> even sub-allocated. The allocation is just a /19.

Exactly, so why not just block whatever the suballocation is? Would mean
that companies that properly SWIP their IP-blocks and put in the effort to
maintain them, are given an advantage to companies that do not.

--
Mikael Abrahamsson email: swmike [at] swm


vixie at vix

Apr 8, 2007, 8:22 AM

Post #30 of 83 (4255 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
> >> Neither I nor J. Oquendo nor anyone else are required to spend our
> >> time, our money, and our resources figuring out which parts of X's
> >> network can be trusted and which can't.

you should only spend resources on activities which will benefit you, of
course. research into a /N to find out which /(M>N)'s are good and which
are evil can pay back in a lower false-positive rate, which will matter to
some blockers more than others.

> > It's not that hard, the ARIN records are easy to look up. Figuring out
> > that network operator has a /8 that you want to block based on 3 or 4
> > IPs in their range requires just as much work.

as several others have pointed out, detailed records are often unavailable
and are sometimes wrong. my theory is that folks don't want to put abuse
contact info into WHOIS that will just cause them to be reportbombed with
low quality automated trash having no particular format, lacking useful
detail, and often complaining to the wrong place. (for example, as one of
the WHOIS contacts for AS112, i am reportbombed frequently by folks whose
reportbot's best guess at who-spammed-them is an RFC 1918 address.)

> It's *very* hard to do it with an automated system, as such automated
> look-ups are against the Terms of Service for every single RIR out there.

perhaps appropos of this, http://www.arin.net/announcements/article_352.html
says that there's a movement afoot to remove one of the WHOIS query limits
at ARIN. if someone here thinks that a TOS change that permitted automated
lookups for the purpose of abuse reporting would be good, then in the ARIN
region, http://www.arin.net/policy/irpep.html says how you can suggest such.
--
Paul Vixie


leo.vegoda at icann

Apr 8, 2007, 12:48 PM

Post #31 of 83 (4262 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
On Apr 7, 2007, at 11:27 PM, John Levine wrote:

[...]

> I can assure you from
> experience that any sort of automated RIR WHOIS lookups will quickly
> trip volume checks and get you blocked,

Does this happen when you only query for the network information and
not the full contact information?

Regards,

--
Leo Vegoda
IANA Numbers Liaison


bzs at world

Apr 8, 2007, 4:11 PM

Post #32 of 83 (4273 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
Bingo. Read the note below again, it is the path to enlightenment,

Shein's law of resources:

Needs, no matter how dire or just, do not alone create the
resources necessary to fulfill.

On April 7, 2007 at 20:41 bonomi [at] mail (Robert Bonomi) wrote:
>
>
> > From: "Frank Bulk" <frnkblk [at] iname>
> > Subject: RE: Abuse procedures... Reality Checks
> > Date: Sat, 7 Apr 2007 16:20:59 -0500
> >
> > > If they can't hold the outbound abuse down to a minimum, then
> > > I guess I'll have to make up for their negligence on my end.
> >
> > Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your
> > (understandable) frustration is preventing you from agreeing with me on this
> > specific case. Because what you usually see is an IP from a /20 or larger
> > and the network operators aren't dealing with it. In the example I gave
> > it's really the smaller /29 that's the culprit, it sounds like you want to
> > punish a larger group, perhaps as large as an AS, for the fault of smaller
> > network.
>
> BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's
> network are riddled with problems and 'which parts' are _not_? *WHO* pays
> me to do the research to find out where the end-user boundaries are? *WHY*
> should _I_ have to do that work -- If the 'upstream provider' is incapable of
> keeping _their_own_house_ clean, why should I spend the time trying to figure
> out which of their customers are 'bad guys' and which are not?
>
> A provider *IS* responsible for the 'customers it _keeps_'.
>
> And, unfortunately, a customer is 'tarred by the brush' of the reputation
> of it's provider.
>
> > Smaller operators, like those that require just a /29, often don't have that
> > infrastructure. Those costs, as I'm sure you aware, are passed on to
> > companies like yourself that have to maintain their own network's security.
> > Again, block them, I say, just don't swallow others up in the process.
>
> If the _UPSTREAM_ of that 'small operator' cannot 'police' its own customers,
> Why should _I_ absorb the costs that _they_ are unwilling to internalize?
>
> If they want to sell 'cheap' service, but not 'doing what is necessary', I
> see no reason to 'facilitate' their cut-rate operations.
>
> Those who buy service from such a provider, 'based on cost', *deserve* what
> they get, when their service "doesn't work as well" as that provided by the
> full-price competition.
>
> _YOUR_ connectivity is only as good as the 'reputation' of whomever it is
> that you buy connectivity from.
>
> You might want to consider _why_ the provider *keeps* that 'offensive'
> customer. There would seem to be only a few possible explanations: (1) they
> are 'asleep at the switch', (2) that customer pays enough that they can
> 'afford' to have multiple other customers who are 'dis-satisfied', or who
> may even leave that provider, (3) they aren't willing to 'spend the money'
> to run a clean operation. (_None_ of those seems like a good reason for _me_
> to spend extra money 'on behalf of' _their_ clients.)


dotis at mail-abuse

Apr 8, 2007, 8:10 PM

Post #33 of 83 (4261 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
On Sun, 2007-04-08 at 03:27 +0000, John Levine wrote:
>
> But on today's Internet, if you want to get your mail delivered, it
> would be a good idea not to live in a bad neighborhood, and if your
> ISP puts you in one, you need a better ISP.
> That's life.

Good advise. For various reasons, a majority of IP addresses within a
CIDR of any size being abusive is likely to cause the CIDR to be
blocked. While a majority could be considered as being half right, the
existence of the "bad neighborhood" demonstrates a lack of oversight for
the entire CIDR, which is also fairly predictive of future abuse.

-Doug


vixie at vix

Apr 8, 2007, 9:03 PM

Post #34 of 83 (4260 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
dotis [at] mail-abuse (Douglas Otis) writes:

> Good advise. For various reasons, a majority of IP addresses within a
> CIDR of any size being abusive is likely to cause the CIDR to be blocked.
> While a majority could be considered as being half right, the existence
> of the "bad neighborhood" demonstrates a lack of oversight for the entire
> CIDR, which is also fairly predictive of future abuse.

that sounds like a continuum, but my experience requires more dimensions
than you're describing. for example, this weekend two /24's were hijacked
and used for spam spew. as my receivebot started blackholing /32's, the
sender started cycling to other addresses in the block. each address was
used continuously until it stopped working, then the next address came in.
while there were two /24's and two self-similar spam flows, there was not a
strict mapping of spam flow to packet flow -- both /24's emitted both kinds
of spam. "uniq -c" results are below. i've nominated both blocks to the
MAPS RBL, and i can't tell from whois whether it's worthwhile to complain
to the ISP's. would you say that i've learned anything of predictive value
concerning future spam from the containing /17 (CARI) or /15 (THEPLANET)?
or is this just another run of the mill BGP hijack due to some other ISP's
router having enable passwords still set to the factory default? (we all
owe randy bush a debt of gratitude for pushing on RPKI, by the way. anybody
can complain about the weather but very few people do something about it.)

7 67.18.239.66
2 67.18.239.67
1 67.18.239.68
1 67.18.239.69
2 67.18.239.70
5 67.18.239.71
1 67.18.239.82
1 67.18.239.83
2 67.18.239.85
2 67.18.239.87
1 67.18.239.88
3 67.18.239.89
2 67.18.239.91
2 67.18.239.92
3 67.18.239.93
4 67.18.239.94
1 71.6.213.103
1 71.6.213.105
1 71.6.213.108
4 71.6.213.159
1 71.6.213.16
5 71.6.213.160
1 71.6.213.161
7 71.6.213.162
8 71.6.213.163
6 71.6.213.166
1 71.6.213.168
6 71.6.213.170
6 71.6.213.171
2 71.6.213.172
6 71.6.213.176
5 71.6.213.179
6 71.6.213.180
2 71.6.213.181
3 71.6.213.182
3 71.6.213.19
3 71.6.213.190
1 71.6.213.191
1 71.6.213.193
1 71.6.213.202
2 71.6.213.23
5 71.6.213.26
3 71.6.213.32
5 71.6.213.65
4 71.6.213.75
6 71.6.213.8
1 71.6.213.80
1 71.6.213.87
1 71.6.213.94
1 71.6.213.96
--
Paul Vixie


fw at deneb

Apr 9, 2007, 7:34 AM

Post #35 of 83 (4266 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
* Douglas Otis:

> On Sun, 2007-04-08 at 03:27 +0000, John Levine wrote:
>>
>> But on today's Internet, if you want to get your mail delivered, it
>> would be a good idea not to live in a bad neighborhood, and if your
>> ISP puts you in one, you need a better ISP.
>> That's life.
>
> Good advise.

Yeah, it's a damn good reason to get PI space. Unfortunately, that
isn't without cost for everyone else.


joelja at bogus

Apr 9, 2007, 8:30 AM

Post #36 of 83 (4254 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
Florian Weimer wrote:
> * Douglas Otis:
>
>> On Sun, 2007-04-08 at 03:27 +0000, John Levine wrote:
>>> But on today's Internet, if you want to get your mail delivered, it
>>> would be a good idea not to live in a bad neighborhood, and if your
>>> ISP puts you in one, you need a better ISP.
>>> That's life.
>> Good advise.
>
> Yeah, it's a damn good reason to get PI space. Unfortunately, that
> isn't without cost for everyone else.

IF you have a business critical need for PI v4 space, now is probably a
better time to decide that than in 5 years.

It's better of course if you choose not to deagregate to /24s.


johnl at iecc

Apr 9, 2007, 8:48 AM

Post #37 of 83 (4266 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
> Yeah, it's a damn good reason to get PI space. Unfortunately, that
> isn't without cost for everyone else.

I don't have PI space, but I do have a competent ISP so I've never had any
mail problems due to adjacent addresses.

Regards,
John Levine, johnl [at] iecc, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"A book is a sneeze." - E.B. White, on the writing of Charlotte's Web


petelists at templin

Apr 9, 2007, 9:46 AM

Post #38 of 83 (4244 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
John R Levine wrote:

> I don't have PI space, but I do have a competent ISP so I've never had any
> mail problems due to adjacent addresses.

Having a competent ISP isn't a guarantee of exemption...only a
contributor. As evidenced by the discussion, some people choose the
scope of their wrath arbitrarily.

pt


sil at infiltrated

Apr 9, 2007, 11:26 AM

Post #39 of 83 (4251 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
Pete Templin wrote:
>
> John R Levine wrote:
>
>> I don't have PI space, but I do have a competent ISP so I've never
>> had any
>> mail problems due to adjacent addresses.
>
> Having a competent ISP isn't a guarantee of exemption...only a
> contributor. As evidenced by the discussion, some people choose the
> scope of their wrath arbitrarily.
>
> pt
>

Frank Bulk wrote:

> Sounds a lot like throwing something against the wall and
> seeing what sticks. Or vigilantism.

Vigilatism would be me causing offender's router to flap out of existence.


Matthew Black wrote:

> Um, with that reasoning, why not just block the whole /0 and
> be done with it?

Why should filtering on this level have to be done. Why not prevent one's
own users from sending out bad traffic. I can see why large provider
would have an issue with this, but how about using IDS' on the way out
as well. This way not one machine on your network can harm another
machine on your own for starters, and someone elses. Sound too Zen.

> Why not get yourself some sort of IDS/IPS
> system or fully firewall your hosts.

What happens when this isn't an option. What do you do when managing
networks on budgets that didn't call for extra equipment. Should I let
a network of mine get compromised for the sake of not having enough in
the budget, or should I explain to the client after the compromise,
"well you really didn't give me enough money." That will sure teach
him a thing or two about technology they 1) don't care about 2) won't
understand no matter how much its explained. Maybe I can repeat this
to myself while I file unemployment papers.

> If you have a spam problem, get an e-mail security
> appliance which uses reputation filtering to reject
> connections?

And for those clients whose budgets constraints prevented this? Should
I a) allow them to receive thousands of Viagra messages b) allow their
logfiles to fill with thousands of entries and false positives on SSH
attacks c) allow viruses and worms to make my job more difficult.

I never stated my solution was a "best practice". I stated what I've
been doing and strangely its been effective for me. Yes I do have to
answer to clients on why THEIR clients, friends, etc have their
providers blocked, and after it is explained to them along with
logfiles to support my blocks, my clients are right behind me in
blocking ranges. To me it isn't the automated blocking isn't that
hard to do, that's what shell scripting is for and I have no problems
blocking huge blocks (/8's) if need be.

As I stated, if I can take the time to make sure nothing malicious is
leaving my networks - which altogether is now comprised of about a /16
if I added all ranges up - then why can't some of these other networks
do the same. Especially the ones who can actually afford to go out and
drop a couple of thousand, even hundreds of thousands on so called
security products. If I can do it via ACL's, Linux boxes, syslog, etc.,
without incurring more costs to my clients, surely some of you bigger
cats can do the same. I look at is a bad policy, laziness, and lack of
a clue or two. And I sincerely mean this in the utmost non-disrespectful
logical - call it how I see it manner. No reason to have filth leaving
your network. If it does its because of bureaucratic BS (policies),
lack of how to administrate a network correctly or laziness.

Maybe my next step will be to post some of the emails from admins who
were contacted and responded with the same old "Oh our abuse desk is
right now it." Or some other generic crap, all the while my net is
getting hit up. Or to re-state the strangeness coming from a response
from a CISSP in NASA: "We were doing test on our network which is
why your machine was getting bruteforced..." Oh really? On a side
note, kudos to those who do take the time to respond, and to those
who actually take a minute or two to digest it all in after I've
rambled on for too long...

Next thread anyone ;)


--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

* J. Oquendo <sil [at] infiltrated>
Attachments: smime.p7s (5.04 KB)


johnl at iecc

Apr 9, 2007, 11:49 AM

Post #40 of 83 (4254 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
>> I don't have PI space, but I do have a competent ISP so I've never had any
>> mail problems due to adjacent addresses.
>
> Having a competent ISP isn't a guarantee of exemption...only a contributor.
> As evidenced by the discussion, some people choose the scope of their wrath
> arbitrarily.

Nothing is a guarantee of exemption from a sufficiently perverse or
hostile email administrator, but being in the middle of a well managed /20
works pretty well for me.

R's,
John


owenc at hubris

Apr 9, 2007, 12:08 PM

Post #41 of 83 (4260 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Apr 9, 2007, at 1:49 PM, John L wrote:

>
>>> I don't have PI space, but I do have a competent ISP so I've
>>> never had any
>>> mail problems due to adjacent addresses.
>>
>> Having a competent ISP isn't a guarantee of exemption...only a
>> contributor. As evidenced by the discussion, some people choose
>> the scope of their wrath arbitrarily.
>
> Nothing is a guarantee of exemption from a sufficiently perverse or
> hostile email administrator, but being in the middle of a well
> managed /20 works pretty well for me.

Well, "well managed" to me would mean that allocations from that /20
were SWIPed or a rwhois server was running so that if any of those
4,000 IP addresses does something bad you don't get caught in the
middle.

Chris

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun):
President ~ Wichita (316) 858-3000 ~ A stupidity tax
Hubris Communications Inc www.hubris.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGGo9KElUlCLUT2d0RArewAKCRHTeEN9tMOvvfH6/cql6ua81qAwCg2eqd
jVGT9wUPV2hRItrA3+tp5n0=
=M3YG
-----END PGP SIGNATURE-----


michael.dillon at bt

Apr 9, 2007, 1:39 PM

Post #42 of 83 (4257 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
> I would have to respectfully disagree with you. When network
> operators do due diligence and SWIP their sub-allocations, they
> (the sub-allocations) should be authoritative in regards to things
> like RBLs.

How do you tell when they have actually done "due diligence".

Existence of a SWIP record is essentially meaningless in this day and
age. Many people do them automatically and there may well be nobody left
on staff who knows that this is happening or what it all means.

--Michael Dillon


michael.dillon at bt

Apr 9, 2007, 1:39 PM

Post #43 of 83 (4256 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
> If they're properly SWIPed why punish the ISP for networks
> they don't even
> operate, that obviously belong to their business customers?

How can you tell that they don't operate a network from SWIP records?

Seems to me that lots of network operators sell "managed services" to
businesses which means that the network operator is the one operating
the business customers' networks.

Let's face it, the whole SWIP system and whois directory concept was
poorly implemented way back in the 1980s and it is completely inadequate
on an Internet that is thousands of times larger than it was when SWIP
and whois were first developed. How many of you were aware that whois
was originally intended to record all users of the ARPAnet from each
site so that networking departments could justify the funds they were
spending on high-speed 56k frame relay links?

--Michael Dillon


petelists at templin

Apr 9, 2007, 1:41 PM

Post #44 of 83 (4252 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
Chris Owen wrote:
> Well, "well managed" to me would mean that allocations from that /20
> were SWIPed or a rwhois server was running so that if any of those 4,000
> IP addresses does something bad you don't get caught in the middle.

Due diligence with SWIP/rwhois only means that one customer is well
documented apart from another. As this thread has highlighted, some
people filter/block based on random variables: the covering /24, the
covering aggregate announcement, and/or arbitrary bit lengths. If a
particular server is within the scope of what someone decides to
filter/block, it gets filtered or blocked. Good SWIPs/rwhois entries
don't mean jack to those admins.

pt


frnkblk at iname

Apr 9, 2007, 1:55 PM

Post #45 of 83 (4251 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
The managed services they currently offer don't include egress filtering (L3
to L7) on their business customer's networks.

From the discussion here it sounds like that naked pipes, even if properly
SWIPed, ought not to be sold, but that all traffic should be checked on the
way out. It sounds like a good idea, but I'm guessing few network operators
do that for their customer networks, whether that's due to lack of
centralization or cost.

Frank

-----Original Message-----
From: Frank Bulk
Sent: Monday, April 09, 2007 3:49 PM
To: 'nanog [at] merit'
Subject: RE: Abuse procedures... Reality Checks


> If they're properly SWIPed why punish the ISP for networks
> they don't even
> operate, that obviously belong to their business customers?

How can you tell that they don't operate a network from SWIP records?

Seems to me that lots of network operators sell "managed services" to
businesses which means that the network operator is the one operating
the business customers' networks.

Let's face it, the whole SWIP system and whois directory concept was
poorly implemented way back in the 1980s and it is completely inadequate
on an Internet that is thousands of times larger than it was when SWIP
and whois were first developed. How many of you were aware that whois
was originally intended to record all users of the ARPAnet from each
site so that networking departments could justify the funds they were
spending on high-speed 56k frame relay links?

--Michael Dillon


christopher.morrow at verizonbusiness

Apr 9, 2007, 1:58 PM

Post #46 of 83 (4275 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
On Mon, 9 Apr 2007 michael.dillon [at] bt wrote:

>
> > If they're properly SWIPed why punish the ISP for networks
> > they don't even
> > operate, that obviously belong to their business customers?
>
> How can you tell that they don't operate a network from SWIP records?
>
> Seems to me that lots of network operators sell "managed services" to
> businesses which means that the network operator is the one operating
> the business customers' networks.

"OPERATING PARTS" of the business customers' networks ...

'managed services' means lots of things, anything from: "I'll manage your
firewall" to "I'll manage that CPE router" to "I'll have feet on the
street picking up crumbs in the hallways of your office buildings
24/7/365"...

Assuming ... welp, that's dangerous :)

So, what this is all getting back to (the whole 'abuse procedures' and
'dropping traffic because you dislike someone/some-ip/somecountry) is that
essentially each site has the twin responsibilities to:
1) clean up their part of the network
2) decide who they want to accept traffic from

The #1 above is only going to save you a minor amount of money (if any)
and is going to assure that in the longer term your traffic might have a
lower chance of being dropped by someone more draconian than you (say
PaulV for instance). The #2 above is purely your own decision process, it
may be driven by some business decisions/drivers (less money on email
servers, less money on links, less firewall costs, customers that really
do interact with <insert-bad-country-here>).

You have to, as a network operator, decide how you want to deal with all
of this. Taking any one person's opinion and using only that is surely
going to lead to some bad decisions for your network.


frnkblk at iname

Apr 9, 2007, 2:01 PM

Post #47 of 83 (4270 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
That's been my entire point. Network operators who properly SWIP don't get
credit for going through the legwork by other networks that apply
quasi-arbitrary bit masks to their blocks.

As I said before, if you're going to block a /24, why not do it right and
block *all* the IPs in their ASN? My DSL and cable modem subscribers are
spread across a dozen non-contiguous /24s. If the bothered network is upset
with one of my cable modem subs and blocks just one /24 they will open
themselves up when that CPE obtains a new IP in a different /24.

Frank

-----Original Message-----
From: owner-nanog [at] merit [mailto:owner-nanog [at] merit] On Behalf Of Pete
Templin
Sent: Monday, April 09, 2007 3:42 PM
To: Chris Owen
Cc: nanog [at] merit
Subject: Re: Abuse procedures... Reality Checks


Chris Owen wrote:
> Well, "well managed" to me would mean that allocations from that /20
> were SWIPed or a rwhois server was running so that if any of those 4,000
> IP addresses does something bad you don't get caught in the middle.

Due diligence with SWIP/rwhois only means that one customer is well
documented apart from another. As this thread has highlighted, some
people filter/block based on random variables: the covering /24, the
covering aggregate announcement, and/or arbitrary bit lengths. If a
particular server is within the scope of what someone decides to
filter/block, it gets filtered or blocked. Good SWIPs/rwhois entries
don't mean jack to those admins.

pt


marla.azinger at frontiercorp

Apr 9, 2007, 2:11 PM

Post #48 of 83 (4259 views)
Permalink
RE: Abuse procedures... Reality Checks [In reply to]
I have to disagree. SWIP is not meaningless.

In my company some functions related to sending a SWIP are automated, but my company has people on staff who know that it is happening and what it means.

And I talk with plenty of other companies that fall into the same boat.

In short I find this one comment below to be argumentive and full of conjecture.

Regards
Marla Azinger
Frontier Communications

-----Original Message-----
From: owner-nanog [at] merit [mailto:owner-nanog [at] merit]On Behalf Of
michael.dillon [at] bt
Sent: Monday, April 09, 2007 1:39 PM
To: nanog [at] merit
Subject: RE: Abuse procedures... Reality Checks



> I would have to respectfully disagree with you. When network
> operators do due diligence and SWIP their sub-allocations, they
> (the sub-allocations) should be authoritative in regards to things
> like RBLs.

How do you tell when they have actually done "due diligence".

Existence of a SWIP record is essentially meaningless in this day and
age. Many people do them automatically and there may well be nobody left
on staff who knows that this is happening or what it all means.

--Michael Dillon


owenc at hubris

Apr 9, 2007, 2:37 PM

Post #49 of 83 (4258 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Apr 9, 2007, at 3:41 PM, Pete Templin wrote:

> Chris Owen wrote:
>> Well, "well managed" to me would mean that allocations from that /
>> 20 were SWIPed or a rwhois server was running so that if any of
>> those 4,000 IP addresses does something bad you don't get caught
>> in the middle.
>
> Due diligence with SWIP/rwhois only means that one customer is well
> documented apart from another. As this thread has highlighted,
> some people filter/block based on random variables: the covering /
> 24, the covering aggregate announcement, and/or arbitrary bit
> lengths. If a particular server is within the scope of what
> someone decides to filter/block, it gets filtered or blocked. Good
> SWIPs/rwhois entries don't mean jack to those admins.

Well it means something to me. I'm not one for widely cast
blacklists but for something like a series of IP addresses all
spewing spam from I will often put temporary /24 filters in place if
I'm unable to determine exactly where the actual block boundaries
are. If the addresses are SWIPed/rwhois then that is much easier and
there is no need for such a wide net.

Chris


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris Owen ~ Garden City (620) 275-1900 ~ Lottery (noun):
President ~ Wichita (316) 858-3000 ~ A stupidity tax
Hubris Communications Inc www.hubris.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGGrCbElUlCLUT2d0RAtbYAJ9T4nFgTeFyUJ2q2uMGPjQYizk4CwCg1Vx4
b+HHAd8UgvH9sNvFHGHo+fY=
=WhjM
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGGrIOElUlCLUT2d0RAjEPAKDCcQyFlkC/6DC8jdIbsKFIC1bO5ACgyUk6
GOHudBwokEt56tglHnrpYV8=
=00rY
-----END PGP SIGNATURE-----


Valdis.Kletnieks at vt

Apr 9, 2007, 2:39 PM

Post #50 of 83 (4278 views)
Permalink
Re: Abuse procedures... Reality Checks [In reply to]
On Mon, 09 Apr 2007 17:11:28 EDT, "Azinger, Marla" said:
> In my company some functions related to sending a SWIP are automated,
> but my company has people on staff who know that it is happening and
> what it means.

Just because *your* site has enough clue to get it right doesn't mean that
the *average* site has enough clue to get it right.

In fact, I'll go out on a limb and posit that *in the cases I care about*,
it's even *less* likely that the SWIP is correct, because the same general
attitude of cluelessness that made them unable to police their users and
enforce their AUP (resulting in malicious packets arriving at my network)
will also tend to mean they didn't get the SWIP right.

So to sum up: The sites that *do* SWIP right are more likely to deal with
their user before I hear about it, causing me to *check* the whois. Meanwhile,
the sites that cluelessly allow malicious traffic also often don't SWIP right -
and that results in me contemplating the smallest range I *do* see in the
whois data. They didn't SWIP it so I could find the offending /26, that's
tough noogies for the rest of their /18.

Now where did I leave my Nomex jumpsuit? :)

First page Previous page 1 2 3 4 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.