How many others are nullrouting BT?

We've long been aware that BT *never* deals with spammers or DoS attacks that originate from their network, but a new issue has come to light. BT has a number of users who are apparently testing out stolen credit card numbers from their network against stores of all flavors.

3 months of attempts by US banks, US police departments, FBI, etc to get any action taken on these issues has gone nowhere. BT is "protecting the interests of their users". Meanwhile the stolen credit card attempts continue unabated.

We're considering null-routing all BT netblocks. I'm wondering how many others have already come to the same conclusion?

They have refused all of the evidence we have offered to date. They refer us to the UK law enforcement. We ask for contact information for their local office, and they responded with the (fictional) address of Scotland Yard from the popular tv show. That's sarcasm, not helpfulness. It's reckless, inconsiderate behavior.

It would be reckless and inconsiderate if it wasn't the correct course
of action.

You probably want to be in touch with the Economic and Specialist Crime unit:
  http://www.met.police.uk/scd/specialist_units/economic_specialist_crime.htm
which appears to be based here:

  Metropolitan Police Service
  New Scotland Yard
  Broadway
  London
  SW1H 0BG

  new.scotland.yard@met.police.uk

or call

  +44 20 7230 1212

Hope this helps.

  -- bill.

(two minutes using google and the met police web site)

To paraphrase bandy rush: "I encourage my competitors to do that".

-alex

bill hulley wrote:

They have refused all of the evidence we have offered to date. They
refer us to the UK law enforcement. We ask for contact information
for their local office, and they responded with the (fictional)
address of Scotland Yard from the popular tv show. That's sarcasm,
not helpfulness. It's reckless, inconsiderate behavior.

It would be reckless and inconsiderate if it wasn't the correct course
of action.

The correct course of action is to refuse to provide legal contact information, refuse to cooperate with law enforcement inquiries into the matter, refuse to investigate the situation, refuse to gather logs and other information to be used by law enforcement?

On what planet is that the proper course of action?

FYI: latest news is that they are giving the local (UK) police force a run around as well.

You probably want to be in touch with the Economic and Specialist Crime unit:
http://www.met.police.uk/scd/specialist_units/economic_specialist_crime.htm

  ....

(two minutes using google and the met police web site)

Who investigate only crimes committed against UK citizens. Please confirm your data before you suggest that someone isn't following through.

Matthew Smith wrote:

What address did BT give you?

221b Baker Street, London

You know, I am normally very against the over-the-top demands that law enforcement try to place on carriers. Certainly the non-standard format for delivery of data that CALCEA requires is a prime example. But situations like this, where BT gives US local, US federal and even UK police the runaround gives me a lot more sympathy for their situation.

I do hope that when the UK police get tired of waiting, that they shut down everything in BT's data centre and take it all as evidence. BT deserves at least that, and frankly a whole lot more.

A local fraud group is trying to determine if anyone whose card was stolen was a UK citizen so that a lawsuit against BT is possible.

We're considering null-routing all BT netblocks. I'm wondering how many others have already come to the same conclusion?

alex@pilosoft.com wrote:

To paraphrase bandy rush: "I encourage my competitors to do that".

Yeah, I know. This is exactly why no ISPs have abuse help desks that respond, and nobody can get even the most trivial problems solved.

We do better. We answer *EVERY* abuse complaint. Which isn't much, because we do the job correctly. And we care about the reliability/usability of the 'Net as a whole.

So when the 'Net becomes partitioned by economics and politics, re-read this letter and know that "I told you so". Know that being a smart-ass wasn't worth the effort. It's already going there, and everyone whines but very few of us are doing the job in a manner appropriate to actually solving problems.

Neil Harris wrote:

Jo Rhett wrote:

Matthew Smith wrote:

What address did BT give you?

221b Baker Street, London

221b Baker Street is the home address of the fictional detective Sherlock Holmes.

Right, which is why I said what I did. Okay, not a fictional address but a fictional character and absolutely not useful.

Jo,

you are in the colo business, and not in the access
business? You surely must also have millions of users,
all with Windows on it and some horses and what not.

Just a thought, with no opinion specifically.

Alexander

I do hope that when the UK police get tired of waiting, that they shut
down everything in BT's data centre and take it all as evidence. BT
deserves at least that, and frankly a whole lot more.

I've already replied privately to Jo offering my help to escalate this
internally at BT to the right person. But I would like to point out that
BT does not have "a" data centre that can be shut down. BT is a very
large network operator with probably hundreds of data centres worldwide.
We also operate multiple IP networks and have many different lines of
business. The problem appears to be with the UK consumer Internet line
of business. Even though I have nothing to do with that particular
group, I will still escalate this issue to make sure that the right
people know about it.

I know that Verizon is another company that has many lines of business
and it can be difficult to find the right contact. Others have mentioned
the fact that many large operators separate email and network operations
into separate business units which deal separately with their abuse
issues.

While NANOG is a nice stopgap for getting to the right people, it seems
to me that we should, collectively, come up with a better system for
doing this. If only the RIR databases were verified so that all contacts
listed were reading, willing and able to act on abuse issues...

--Michael Dillon

Jo Rhett wrote:

We've long been aware that BT *never* deals with spammers or DoS attacks
that originate from their network, but a new issue has come to light.
BT has a number of users who are apparently testing out stolen credit
card numbers from their network against stores of all flavors.

Which BT? There are several organisations within the BT Group...

3 months of attempts by US banks, US police departments, FBI, etc to get
any action taken on these issues has gone nowhere. BT is "protecting
the interests of their users". Meanwhile the stolen credit card
attempts continue unabated.

We're considering null-routing all BT netblocks. I'm wondering how many
others have already come to the same conclusion?

No something I would recommend to anyone that has any commercial sense.

Serious suggestion, try http://www.ispa.org.uk/ they can probably get
you into contact with the right person within BT

J

We are in the colo business. We start at half-cabinet and go upwards so it tends to be businesses with real sysadmins. That helps, since it means hundreds of businesses and not millions of users.

But yes, our main concern is quickly isolating Windows/Linux systems which have been compromised and shut them down. We use a lot of tools to analyze traffic, and usually take the compromised machine offline before we get abuse reports.

I do hope that when the UK police get tired of waiting, that they shut
down everything in BT's data centre and take it all as evidence. BT
deserves at least that, and frankly a whole lot more.

I've already replied privately to Jo offering my help to escalate this
internally at BT to the right person. But I would like to point out that
BT does not have "a" data centre that can be shut down. BT is a very
large network operator with probably hundreds of data centres worldwide.

I knew that. I meant the bt broadband data centre which keeps the log data for user sessions.

And anyway, I didn't expect it either. It's an ISP horror story that has happened only a few times. I was simply expressing frustration in saying that BT deserved it.

We also operate multiple IP networks and have many different lines of
business. The problem appears to be with the UK consumer Internet line
of business. Even though I have nothing to do with that particular
group, I will still escalate this issue to make sure that the right
people know about it.

Thank you.

While NANOG is a nice stopgap for getting to the right people, it seems
to me that we should, collectively, come up with a better system for
doing this. If only the RIR databases were verified so that all contacts
listed were reading, willing and able to act on abuse issues...

I used Nanog only as a stop-gap because no other lines were working. Checking my nanog sent file, I've done with 7 times over 10 years, so I think I can say that I don't abuse this approach

The RIR data only pointed to abuse@btbroadband.com, and that was getting me nowhere. Their responses to the customer were less than useful. They weren't responding to my requests for escalation at all.

Irrelevant of the BT specifics...

Jo Rhett wrote:

We're considering null-routing all BT netblocks. I'm wondering how many
others have already come to the same conclusion?

No something I would recommend to anyone that has any commercial sense.

In our particular market it wouldn't hurt us very badly, but ...

This is a specific problem that I think affects us all, and it bothers me greatly that large organizations like BT are allowed to give the finger to everyone on this list because they don't have to worry about being nullrouted on a global basis. Knowing this, they are allowed to understaff and otherwise ignore their abuse help desks. Because their size allows them to not care.

I'd love to find a way to change that equation.

Jo Rhett wrote:
[..]

While NANOG is a nice stopgap for getting to the right people, it seems
to me that we should, collectively, come up with a better system for
doing this. If only the RIR databases were verified so that all contacts
listed were reading, willing and able to act on abuse issues...

[..]

The RIR data only pointed to abuse@btbroadband.com, and that was getting
me nowhere. [..]

RIR data is 'too open' for real contacts to be found. Like spam can
cause abuse@ addresses to become useless, the information in the RIR
data mostly also get overspammed and thus often are not properly read.
There are of course a lot of places who do read them but still. IMHO the
data present in RIPEdb is also of much higher quality than the data in
ARIN, but that is my opinion.

Thus your other option as a Network administrator becomes to look up the
contact data in the Peering Database: https://www.peeringdb.com

For BT this lists a NOC email address, and a direct person for Technical
and Policy decisions, which has an email and phone contact for your
perusal. Not directly the right person, but it at least brings you
somewhat in the right direction.

Next to that, of course never hesitate to setup an INOC-DBA account and
hook yourself up there. That brings your complaint only a simple
asn-dail away

As these two mediums are more or less restricted to folks who actually
run an ASN, the chance of abuse/nonsense is lower, as such there is more
value and people tend to pick up the phone much easier.

Greets,
Jeroen

>> While NANOG is a nice stopgap for getting to the right people, it

seems

>> to me that we should, collectively, come up with a better system

for

>> doing this. If only the RIR databases were verified so that all
contacts
>> listed were reading, willing and able to act on abuse issues...

[..]
> The RIR data only pointed to abuse@btbroadband.com, and that was

getting

> me nowhere. [..]

RIR data is 'too open' for real contacts to be found. Like spam can
cause abuse@ addresses to become useless, the information in the RIR
data mostly also get overspammed and thus often are not properly read.

Today, RIRs only give you email contacts for the abuse desk. This is
part of the problem. Most companies operate some sort of internal
departmentalization for abuse issues and the RFC 2142 mailbox names are
no longer sufficient. It would be better if the RIR database had a set
of URLs which led to information about reporting various issues. At a
minimum, email issues and network issues should be separated.

Most large network operators do have a set of web pages where they
explain their AUP, peering policies, email filtering systems, and so on.
But there is no standard for finding these and they are not listed in
RIR databases unless someone puts them in the comments field.

We could do a lot better. I know that the MAAWG is doing some work on
defining best practices in this area, in fact our head of Internet
Customer Security is presenting at the Dublin meeting. But, I believe
that we also need more documented best practices in the area of general
network abuse reporting processes.

Often, when network abuse crosses borders and there is a crime involved,
the ISPs find themselves stuck in the middle in an awkward way. The
customer who is the victim of the crime reports to local police, but the
local police often don't know how to deal with getting information from
the ISP in the foreign country, and have no prior police contacts there.
Legal matters are always rather touchy as you will know if you have
followed the CALEA thread. ISPs always have to act lawfully and cannot
act as an arm of the police or they may themselves be the target of
court actions. However, it should be possible for the ISPs to facilitate
police-to-police communications. In previous jobs I have been involved
in doing that.

In one case, I provided a local police email address to a foreign ISP so
that they could give that to their own police. In another case, I asked
a foreign ISP to provide an email contact for their local police force
so that a customer could include this in his crime report to the local
police. It seems to me that this is something that all ISPs could
provide quite openly on their websites in the same way we provide
Investor Relations and Media contacts. After all, if we receive a report
that a customer has committed a crime, there is not much that we can do
about it directly. But if we would publish our local police contact
address along with instructions about reporting crimes to police in the
victim's jurisdiction, then hopefully, we would get fewer such reports
because they would all go directly to the police.

But how do we sort out these abuse reporting issues? How do we write the
best practices document? Is NANOG the right place? ARIN/RIPE?

Thus your other option as a Network administrator becomes to look up

the

contact data in the Peering Database: https://www.peeringdb.com

Assuming that you know the peering database exists. And why is that info
not in the RIR's own database? Why is it scattered?

For BT this lists a NOC email address, and a direct person for

Technical

and Policy decisions, which has an email and phone contact for your
perusal. Not directly the right person, but it at least brings you
somewhat in the right direction.

I'll see if we can get the abuse address added to that. We have recently
centralised responsibility for all abuse reporting across all countries,
markets, lines of business. We also have installed a system using
StreamShield to proactively identify and report spam sources on our
network so that we can deal with them faster than by waiting for 3rd
party reports.

Next to that, of course never hesitate to setup an INOC-DBA account

and

hook yourself up there. That brings your complaint only a simple
asn-dail away

I'm going to pass along that suggestion internally. However, once again,
I wonder why INOC-DBA is not better known. Why don't we have an ISP best
practices document published as an RFC to update RFC 2142 and include
more than just email. It's been 10 years now and 2142 is old in the
tooth.

If anyone wants to send me suggestions for content for a best practices
document, I'm willing to put something together.

--Michael Dillon

Oh, yes. Because BCPs are so very good at solving problems.

I wanna go live in your happy universe. Because if BCP 38 were attended to more than 40% of my job would be irrelevant, and 12-15% of our traffic load would be reduced.

...one of the only colocation providers who does implement BCP 38.

Jo Rhett wrote:

Oh, yes. Because BCPs are so very good at solving problems.
I wanna go live in your happy universe. Because if BCP 38 were attended
to more than 40% of my job would be irrelevant, and 12-15% of our
traffic load would be reduced.
...one of the only colocation providers who does implement BCP 38.

Is the alternative just to sit around, be sarcastic, and do nothing?

If someone has enthusiasm to write documents and provide advice that is
available to the community this is a Good Thing; they shouldn't be
discouraged from it. It is enormously helpful to have a document to
point people at - most ignorance is just that rather than wilful
malfeasance.

Will Hargrave wrote:

Jo Rhett wrote:

Oh, yes. Because BCPs are so very good at solving problems.
I wanna go live in your happy universe. Because if BCP 38 were attended
to more than 40% of my job would be irrelevant, and 12-15% of our
traffic load would be reduced.
...one of the only colocation providers who does implement BCP 38.

Is the alternative just to sit around, be sarcastic, and do nothing?

In particular I was saying that going back to his employer and doing something about *their problem right now* would be much more useful than writing a BCP would.

If someone has enthusiasm to write documents and provide advice that is
available to the community this is a Good Thing; they shouldn't be

And if they could instead focus on solving the real problem today... even better.

BCPs would be largely unnecessary if everyone focused on their job.

You can and should read "focused on their job" as also including "was allowed to focus on their job by their employer".

Yeah, I know. This is exactly why no ISPs have abuse help desks that
respond, and nobody can get even the most trivial problems solved.

Over generalization sucks and just proves to everyone else what an
irrational individual you are.

We do better. We answer *EVERY* abuse complaint. Which isn't much,
because we do the job correctly. And we care about the
reliability/usability of the 'Net as a whole.

You do better because you are 1/10000th the size of a company like BT
and you handle colo only.

So when the 'Net becomes partitioned by economics and politics, re-read
this letter and know that "I told you so". Know that being a smart-ass
wasn't worth the effort. It's already going there, and everyone whines
but very few of us are doing the job in a manner appropriate to actually
solving problems.

*Yawn* while you are at it please null route Charter, Comcast, Cox,
Verizon, Att, etc. so the list doesn't have to see you send in another
email with you spouting your superiority while making nonsense
generalizations.

Now if you are done acting like a child you should have seen that
Michael Dillon is a member of this list and could have been used as a
resource to handle this problem before you sent in this nonsense to
the list. I hope in the future you think before you send so you don't
come across as the child stamping his feet when he doesn't get the
attention he wants.

-Ross