> I understand your frustration and appreciate your efforts to contact the
> sources of abuse, but why indiscriminately block a larger range of IPs
> what is necessary?
1. There's nothing "indiscriminate" about it.
I often block /24's and larger because I'm holding the
*network* operators responsible for what comes out of
Define network operator: the AS holder for that space or the operator of
that smaller-than-slash-24 sub-block? If the problem consistently comes
from /29 why not just leave the block in and be done with it?
I guess this begs the question: Is it best to block with a /32, /24, or some
other range? Sounds a lot like throwing something against the wall and
seeing what sticks. Or vigilantism.
If they can't hold the outbound abuse down to a minimum, then
I guess I'll have to make up for their negligence on my end.
Sure, block that /29, but why block the /24, /20, or even /8? Perhaps your
(understandable) frustration is preventing you from agreeing with me on this
specific case. Because what you usually see is an IP from a /20 or larger
and the network operators aren't dealing with it. In the example I gave
it's really the smaller /29 that's the culprit, it sounds like you want to
punish a larger group, perhaps as large as an AS, for the fault of smaller
I don't care why it happens -- they should have thought through
all this BEFORE plugging themselves in and planned accordingly.
("Never build something you can't control.")
Neither I nor J. Oquendo nor anyone else are required to
spend our time, our money, and our resources figuring out which
parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up. Figuring out that
network operator has a /8 that you want to block based on 3 or 4 IPs in
their range requires just as much work.
It is entirely X's responsibility to make sure that its _entire_
network can be permitted the privilege of access to ours.
And (while I don't wish to speak for anyone else),
I think we're prepared to live with a certain amount of low-level,
transient, isolated noise.
Noise like that is inevitable part of the job.
We are not prepared to live with persistent, systemic attacks
that are not dealt with even *after* complaints are
filed. (Which shouldn't be necessary anyway: if we can see inbound
hostile traffic to our networks, surely X can see it outbound from
theirs. Unless X is too stupid, cheap or lazy to look. Packets do
not just fall out of the sky, y'know?)
Smaller operators, like those that require just a /29, often don't have that
infrastructure. Those costs, as I'm sure you aware, are passed on to
companies like yourself that have to maintain their own network's security.
Again, block them, I say, just don't swallow others up in the process.
2. "necessary" is a relative term.
Example: I observed spam/spam attempts from 3,599 hosts on
pldt's network during January alone. I've blocked
everything they have, because I find it *necessary*
to not wait for the other N hosts on their network
to pull the same stunt. I've found it *necessary* to take
many other similar measures as well because my time,
money and resources are limited quantities, so I must
expend them frugally while still protecting the operation
from overtly hostile networks.
That's my point: you want to spend time dealing with the other 8 networks
because you blacked them, out, too?
That requires pro-active measures and it requires ones
that have been proven to be effective.
If X, for some value of X, is unhappy about this, then X should have
thought of that before permitting large amounts of abuse to escape
its operation over an extended period of time. Had X done its job
to a baseline level of professionalism, then this issue would not
have arisen, and we'd all be better off for it.
Agreed, but economics usually dictate otherwise.
So. If you (generic you) can't keep your network from being
a persistent and systemic abuse source, then unplug it. Now.
They want to run a business, too. So when you blacklist they will end up
calling you asking for mercy, telling you that it's been cleaned up.
Inevitably something/someone gets infected, you black them out, rinse,