Abuse procedures... Reality Checks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1. There's nothing "indiscriminate" about it.

I often block /24's and larger because I'm holding the *network* operators
responsible for what comes out of their operation. If they can't hold
the outbound abuse down to a minimum, then I guess I'll have to make
up for their negligence on my end. I don't care why it happens -- they
should have thought through all this BEFORE plugging themselves in
and planned accordingly. ("Never build something you can't control.")

I would have to respectfully disagree with you. When network
operators do due diligence and SWIP their sub-allocations, they
(the sub-allocations) should be authoritative in regards to things
like RBLs.

$.02,

- - ferg

Yes. But the answer is that it also depends how many other cases like
this exist from same operator. If they have 16 suballocations in /24
but say 5 of them are spewing, I'd block /24 (or larger) ISP block.
The exact % of bad blocks (i.e. when to start blocking ISP) depends
on your point of view and history with that ISP but most in fact do
held ISPs partially responsible.

If they're properly SWIPed why punish the ISP for networks they don't even
operate, that obviously belong to their business customers? And if the
granular blocking is effectively shutting down the abuse from that
sub-allocated block, didn't the network operator succeed in protecting
themselves? Or is the netop looking to the ISP to push back on their
customers to clean up their act? Or is the netop trying to teach the ISP a
lesson?

Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from
a sub-allocated block -- you would hope that ISPs and AS owners would want
to have clean customers.

Frank

If they're properly SWIPed why punish the ISP for networks they don't even
operate, that obviously belong to their business customers?

All ISPs have AUPs that prohibit spam (or at least I hope all of you do)
though are enforced at some places better then at others... But the point
is that each and every customer ISP is responsible for following that
AUP and is responsible for making sure their customers follow it as well.
So to answer you the view is that even if ISP do not operate the network
by providing services and ip addresses they in fact basically do operate
in on higher level and are partially directly responsible for what happens
there including enforcing its AUP on its sub-ISP or business customer
(and making sure they enforce same AUP provisions on their customers).
Chain of responsibility if you like to think of it that way...

And if the granular blocking is effectively shutting down the abuse from that sub-allocated block, didn't the network operator succeed in protecting
themselves? Or is the netop looking to the ISP to push back on their
customers to clean up their act? Or is the netop trying to teach the ISP a
lesson?

Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from
a sub-allocated block -- you would hope that ISPs and AS owners would want
to have clean customers.

Yes, of course blocking of larger ISP block would happen only after trying
to notify ISP of the problem for each of every one of those subblocks did not lead to any results.

That sounds like a very reasonable perspective and generally the route I
follow both as a operator and as someone who works with others.

Frank

I would have to respectfully disagree with you. When network
operators do due diligence and SWIP their sub-allocations, they
(the sub-allocations) should be authoritative in regards to things
like RBLs.

How do you tell when they have actually done "due diligence".

Existence of a SWIP record is essentially meaningless in this day and
age. Many people do them automatically and there may well be nobody left
on staff who knows that this is happening or what it all means.

--Michael Dillon

If they're properly SWIPed why punish the ISP for networks
they don't even
operate, that obviously belong to their business customers?

How can you tell that they don't operate a network from SWIP records?

Seems to me that lots of network operators sell "managed services" to
businesses which means that the network operator is the one operating
the business customers' networks.

Let's face it, the whole SWIP system and whois directory concept was
poorly implemented way back in the 1980s and it is completely inadequate
on an Internet that is thousands of times larger than it was when SWIP
and whois were first developed. How many of you were aware that whois
was originally intended to record all users of the ARPAnet from each
site so that networking departments could justify the funds they were
spending on high-speed 56k frame relay links?

--Michael Dillon

"OPERATING PARTS" of the business customers' networks ...

'managed services' means lots of things, anything from: "I'll manage your
firewall" to "I'll manage that CPE router" to "I'll have feet on the
street picking up crumbs in the hallways of your office buildings
24/7/365"...

Assuming ... welp, that's dangerous

So, what this is all getting back to (the whole 'abuse procedures' and
'dropping traffic because you dislike someone/some-ip/somecountry) is that
essentially each site has the twin responsibilities to:
1) clean up their part of the network
2) decide who they want to accept traffic from

The #1 above is only going to save you a minor amount of money (if any)
and is going to assure that in the longer term your traffic might have a
lower chance of being dropped by someone more draconian than you (say
PaulV for instance). The #2 above is purely your own decision process, it
may be driven by some business decisions/drivers (less money on email
servers, less money on links, less firewall costs, customers that really
do interact with <insert-bad-country-here>).

You have to, as a network operator, decide how you want to deal with all
of this. Taking any one person's opinion and using only that is surely
going to lead to some bad decisions for your network.

After thinking it over: I partly-to-mostly agree. In principal, yes.
In practice, however, [some] negligent network operators have built
such long and pervasive track records of large-scale abuse that their
allocations can be classified into two categories:

  1. Those that have emitted lots of abuse.
  2. Those that are going to emit lots of abuse.

In such cases, I'm not inclined to wait for (2) to become reality.

---Rsk

Comcast is known to emit lots of abuse -- are you blocking all their
networks today?

Frank

All? No. But I shouldn't find it necessary to block ANY, and wouldn't,
if Comcast wasn't so appallingly negligent.

( I'm blocking huge swaths of Comcast space from port 25. This shouldn't
really surprise anyone; Comcast runs what may well be the most prolific
spam-spewing network in the world. I saw attempts from 80,000+ distinct
IP addresses during January 2007 alone -- to a *test* mail server.
I should have seen zero. The mitigation techniques for making that
happen are well-known, have been well-known for years, and can be
implemented easily by any competent organization.)

This, by the way, should not be taken as indicative of either what
I've done in the past or may do in the future. Nor should it be
taken as indicative of what decisions I've made in re other networks.

---Rsk

It truly is a wonder that Comcast doesn't apply DOCSIS config file filters
on their consumer accounts, leaving just the IPs of their email servers
open. Yes, it would take an education campaign on their part for all the
consumers that do use alternate SMTP servers, but imagine how much work it
would save their abuse department in the long run.

Frank

There are several large ISPs (millions of subscribers) that have done away with TCP/25 altogether. If you want to send email thru the ISPs own email system you have to use TCP/587 (SMTP AUTH).

Yes, this takes committment and resources, but it's been done successfully.

Mikael Abrahamsson wrote:

It truly is a wonder that Comcast doesn't apply DOCSIS config file
filters
on their consumer accounts, leaving just the IPs of their email servers
open. Yes, it would take an education campaign on their part for all
the
consumers that do use alternate SMTP servers, but imagine how much
work it
would save their abuse department in the long run.

There are several large ISPs (millions of subscribers) that have done
away with TCP/25 altogether. If you want to send email thru the ISPs
own email system you have to use TCP/587 (SMTP AUTH).

Yes, this takes committment and resources, but it's been done
successfully.

You don't even need to do that. We just filter TCP/25 outbound and force
people to use our mail servers that have sensible rate limiting etc.
People who use alternate SMTP servers can fill in a simple web form to
have them added to the exception list. We have about 50 on this list so far.

Citando Frank Bulk <frnkblk@iname.com>:
" but imagine how much work it

would save their abuse department in the long run"

I think that Comcast trouble isn't has much has the company's affected I keep
the idea that the best is to rate limit incoming connections and a lot of
filtering to prevent the spam flood and keep hardware costs Low.

Placing the filtering on the user will make the user cry a lot against the ISP,
change ISP and keep the problem. They really don't care about their computer.

By using rate limit on incoming connections a lot of dynamic address's are
blocked.

"Additionally, upper management gives or takes away manpower many times without
the understanding of what 'should' be done to be a good netizen and this
defines how much effort can be spent on fixing the problems. "

This is the biggest problem "upper management" really doesn't care and the time
to use on this problems is not accounted.

So controlling the number of messages that leave your SMTP server is a solution
and PBL from spamhaus is a good thing ! SPF also good but will lead to complains
( tuff )

Blocking tcp destination port 25 to outside the network might work well on small
  and without concurrent ISP, on big ones I doubt it.

Citando Frank Bulk <frnkblk@iname.com>:
" but imagine how much work it

> would save their abuse department in the long run"

I think that Comcast trouble isn't has much has the company's affected I
keep the idea that the best is to rate limit incoming connections and a lot
of filtering to prevent the spam flood and keep hardware costs Low.

Placing the filtering on the user will make the user cry a lot against
the ISP,
change ISP and keep the problem. They really don't care about their
computer.

Agreed - 90-98% of end users could care less about their computer security, no
matter who makes them look at the problem, they just "want to chat with aunt
{lilly|mary|other} in God knows where" or to "close that business deal in New
York", They don't want to bother with ports, IP, firewalls, etc, and I don't
think that will change easily.

And as said previously, the person will ignore their ISP and cancel and move
to another SP if the ISP hassles them with blocking their email, stopping
certain apps, etc.

This isn't only a spam problem. it's also a problem with personal machines
getting botnetted, virus'd, trojan'd over and over and over again.

Why? There's simply no end-user accountability.

By using rate limit on incoming connections a lot of dynamic address's are
blocked.

"Additionally, upper management gives or takes away manpower many times
without
the understanding of what 'should' be done to be a good netizen and this
defines how much effort can be spent on fixing the problems. "

This is the biggest problem "upper management" really doesn't care and
the time
to use on this problems is not accounted.

Agreed again - Upper management business-types that are not involved in the
actual operations of their businesses are most of the time not clueful enough
to realize the problems, no matter how many times people explain it to them,
they simply only see if it's making them money.

Leigh:

How many customers do you serve that you have just 50 exceptions?

It's my understanding that the most efficient way to keep things clean for
cable modem subscribers is to educate subscribers to use port 587 with SMTP
AUTH for both the ISP's own servers and their customer's external mail
server, and then block destination port 25 on the cable modem. For
alternative access technologies, block destination port 25 on the access
gear or core routers/firewalls.

Regards,

Frank

Last post for me on this thread... Dirty Networking 101

So the other morning I found a contact for a company who'll for
now remain unamed, this contact is on this group...Sent them
yet another message (3 this week):

<new message>
To whom it may concern,

One of my servers has been heavily under attack for the past 24
hours from your IP space. There were 10726 attempts to log into
my VoIP server within the last 24 hours. Please sanitize this
machine from your network. Attached is the logfile.
</new message>

10726 attacks in a variety of forms. Why should I NOT ban this
network and its clients from reaching my networks. Can someone
please help me understand the logic of being called something
akin to a crybaby, spoiled sport, unfair admin since I am now
going to block their /17?

On to semi-relevant news...

For those who care: Support Intelligence analyzed 22,000 ASNs
for every kind of eCrime including DDoS, Scanning, hosting
Malware, sending Spam, hosting a phish, or transmitting viruses
... 17 of the 100 networks listed are from ARIN. Six of the
seventeen are from Time Warner. 5 are from Comcast, 2 are from
Charter.

http://blog.support-intelligence.com/2007/04/doa-week-14-2007.html

That's their record. I now have 52 hosts dumping out syslog
records and can name about 30+ networks of which some of
the engineers from them are on this list. So what is their
left to do when points of contact fail miserably.

Maybe I will take a crack at writing a document based on the
amount of waste whether its bandwidth, time or money in blocking
venomous hosts from my subnets. Costs, benefits, experience,
pros, cons.

If they're properly SWIPed why punish the ISP for networks they don't even

"punish"?

Since when is it "punishment" to refuse to extend a privilege that's been
repeatedly and systematically abused? (You have of course, absolutely
no right whatsoever to expect any services of any kind from anyone other
than those you've contracted for. Everything beyond that is a privilege,
generously furnished to you at the whim of those operating the service.
It may be restricted or withdrawn at any time, for any reason, with or
without notice to you. Now as a general rule, we all have chosen to
furnish those services -- by default and without limitation. But that
doesn't turn them into entitlements.)

The word "punish" is completely inapplicable in this context.

operate, that obviously belong to their business customers?

Questions:

  1. Is your name on it in any way, shape or form?
     (This includes allocations.)
  2. Is it emitting abuse?

If the answers are "yes", then it's YOUR abuse. Trying to evade
responsibility by claiming that "it's one of our customers" is
just another pathetic excuse for incompetence.

Of course, it doesn't hurt to copy the ISP or AS owner for abuse issues from
a sub-allocated block -- you would hope that ISPs and AS owners would want
to have clean customers.

Unless of course the ISP or AS owner *are* the abuser under another
name, or unless they're actively complicit. Both are quite common.

Beyond that: any *competent* ISP or AS owner will already know about
the abuse. They will have deployed measures designed to detect said
abuse well before anyone else out there reports it to them. (Example:
setting up their own spamtraps explicitly designed to catch their own
customers.) By the time an external observer reports a problem to them, it
should already be old news and already be well on its way to remediation.

---Rsk

Anybody from AOL on this list? Could you please send me an email
offlist? I need some help.

Thanks.

Vish