DNS Hijacking by Cox

Quoting Joe Greco <jgreco@ns.sol.net>:
>> > And, incidentally, I do consider this a false positive. If any average
>> > person might be tripped up by it, and we certainly have a lot of average
>> > users on IRC, then it's bad. So, the answer is, "at least one false
>> > positive."
>> The only way any human activity will NEVER have a single false positive,
>> i.e. mistake, is by never doing anything.
>> Do people really want ISPs not to do anything?
> I'd prefer that ISP's tends towards taking no action when taking action
> has a strong probability of backfiring.

I'd have to say that at this point it is VERY obvious that you have
never administered a large (100k users+) network.

You would be incorrect, by a large margin.

The procedures and
paths of action you wish the largers ISPs to take are just not

No, they're just a little more difficult. I realize that it's more
complex to inject a blackhole host route into the IGP of your average
large ISP than it is to wreak a little configuration havoc on some
recursers. That doesn't make the easier solution correct.

From your web site:
"Please Note: Be very certain that your alleged abuse incident
actually originated here before submitting a complaint. Do not sumbit
a complaint without full headers, logs, and timestamps. We are not a
commercial ISP and it is highly unlikely that your abuse incident
actually originated here."

Spelling mistakes and "under construction" pages from 2002 aside, it
shows that you look to be familiar with dealing with smaller scale

Yes, sol.net is not a commercial ISP. We're a small, very clean network
that provides access to a limited number of other businesses. We're not
selling $9.95/month DSL, and the businesses that actually live on our net
and sell things have somewhat more "modern" web sites. They're highly
vetted, and the last legitimate abuse incident fades in my recollection.

However, since a lot of the services we run are still under the legacy
domain name, I feel it appropriate to maintain some basic information and
contact stuff under the sol.net domain name, even though we stopped using
that for business purposes /many/ years ago, and it is used pretty much
exclusively for network and other Internet infrastructure systems.

Since I get to set the policies, we simply don't take dirty clients.
However, we do take on a bunch of unusual things, and there is a
sufficient supply of misdirected complaints that we've got a warning
on the web page. You wouldn't believe the number of complaints we
were getting about "hacking" back when we were serving up SpamCop's
graphic images (which is approximately the era which caused us to add
that little statement in red).

And it doesn't really say anything about what I've done in the past, or
what else I also do currently, so really, it might be best to tread
rather more carefully.

Now, if you want to engage in meaningless insults, I'll be happy to
congratulate you on that gorgeous Apache 2 Test Page at crc.id.au ...

"At least I have the decency to provide some public information on the
network I run."

The reality of the matter is that large ISPs can do:

    1) Nothing (which makes matters worse in the long run)
    2) A disruptive fix (will get some false matches, a handful of
IRCers vs 100k+ users is acceptable).
    3) Kill accounts.

I see you conveniently left out walled gardens and other prudent and
reasonable steps that ISP's and schools are successfully taking. I
guess I didn't actually expect an impartial discussion, once you lowered
yourself to speeling flamez.

Now lets look at a quick real world result of each of the three above.

    1) Your network eventually caves into the ground. You end up being
a host for many spam networks and other nasties. Everyone on the
internet hates you.

    2) A handful of people complain, cry, whimper, and leave. The
number of users in this boat won't really have much of an effect on
operations or business. Acceptable losses vs doing option 1.

    3) You get a reputation of killing 'innocent' peoples accounts due
to unknown infections of crud. Business declines, and you end up
working for an ISP that would implement option 2.

And, as noted, you conveniently left out solutions that people actually
have up and running today. Slick.

In reality, the "purist" ideals of Internet access just does not work.

Well, we're fine with the "purist" ideals over here. It helps to keep
problems off the network in the first place. I realize that might not
sit too well with ISP's that would rather take money than be a good net
neighbour, but that doesn't make it any more right for them.

It has more to do with choice than "does not work."

... JG

actually.... this really depends upon the management/admin
responsibilities in question, and on the level of damange you are willing
to wreak.

a simple blackhole route (generally not in the IGP, but iBGP though that
does depend upon the local preferences of the operator I suppose) is much
easier for some folks to do, it has the side effect of having large blast
radius on vhost-type ip addresses.

a 'simple' dns redirection is 'easier' if you are the dns-admin, often the
dns-admin and routing-admin are not in the same place in the company and
they don't 'trust' each other for these sorts of things. Doing the work in
the DNS server does have the nice side effect that you can block the
domain regardless of ip changes and without the problem associated with
vhost-type ip addresses.

With all of the solutions proposed and possible there are risks, costs and
benefits. Weighing those out and keeping in mind Cox (IN THIS EXAMPLE) has
+5million users and will have to take a very low cost solution.

So, backing up again.... given a set of options, and a set of risks with
those options and keeping in mind that false positives will happen
eventually (this clearly being a case of that) is this worth 35 messages
to discuss a false positive?