RE: Repeated Blacklisting / IP reputation

I'd be more than happy to see this, with the added caveat that anyone that returned address space to ARIN that was subsequently marked as 'contaminated', should undergo a review process when attempting to obtain new address space. Charge them for the review process

  Anyone that intentionally uses address space in a manner that they know will cause it to become contaminated should be denied on any further address space requests.

Another option, is to hit them where it matters. Assign fines and fees for churning address space and returning it as contaminated. Set the fee's on a sliding scale based on the amount of contamination and churn. the more contamination, the higher the fee.

Shawn Somers

Michiel Klaver wrote:

You *do* realize that the people you're directing that paragraph at are
able to say with a totally straight face: "We're doing nothing wrong and
we have *no* idea why we end up in so many local block lists"?

Also, you can very well disable new allocations to Spammer-Bob, did
you also know his friend Sue is asking now for space? Sue is very
nice, she even has cookies... oh damn after we allocated to her we
found out she's spamming

Spammers have a lot of variables to change in this equation, RIR's
dont always have the ability to see all of the variables, nor
correlate all of the changes they see

-Chris

so... this thread has a couple of really interesting characteristics.
a couple are worth mentioning more directly (they have been alluded to elsewhere)...

  Who gets to define "bad" - other than a blacklist operator?
  Are the common, consistent defintions of "contamination"?

  If these are social/political - recognise that while the ARIN
  region is fairly consistent in its general use and interpretation
  of law, there are known varients - based on soveriegn region.

this whole debate/discussion seems based on the premise that there are well
known, consistent, legally defendable choices for defining offensive behaviours.
and pretty much all of history shows us this is not the case.

  (is or is not a mother nursing her child in public pornographic?)

So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is only
going to be able to tell you a few things about the prefix you have been handed.

  a) its virginal - never been used (that we know of)
  b) its been used once.
  c) it has a checkered past

and it will be up to the receipient to trust/accept the resource for what it
currently is or chose to reject it and find soliace elsewhere.

--bill

I believe there is another side to that argument as well.

If I operate a regional ISP and request address space for dynamic address pools I am aware of a few things:

1) I am fully aware that there is a chance a customer's system could become infected and generate millions of malicious messages/packets/traffic.
2) I am also aware that it is possible that that one machine could have any number of IP addresses during the course of the week; therefore, it would be possible that they could 'contaminate' an entire /24
3) I know that if I'm made aware of the zombified machine that I'll disable access to the customer quickly; however, the damage has usually already been done.
4) Do I actually care if one of my dynamic address blocks are in a DNSBL? Not at all. They should be using my mail server anyways.

Should I have to go through and make sure that every single IP address/block is 'clean' before returning the allocation to ARIN? I can say with utmost confidence "I don't care" because I no longer need them. If my ability to receive new allocations required that I clean up a dynamic address block before receiving a new one I would take better care of my blocks; however, it may be cheaper just to keep the old block (null route it) and ask for another one.

The question becomes: Where do you draw the 'contamination' line? A network may be using a block well within what we would consider 'reasonable' usage; however, the block may become 'unusable' for certain purposes. Should they too be denied further address space? If thats the case every broadband provider out there should be cut off because they're customers keep getting infected and are used to DDOS/SPAM/Exploit our networks.

What I'm trying to say in a long-winded and round about way is simple --- The contamination doesn't always happen 'on purpose' or with any foresight and it may not be an entire block that is bad. Everyone is guilty at some point of having a few 'dirty' IPs on their network... and I'm sure all of us have left many dirty because god only knows where all it is blocked.

I think costs of maintaining an abuse helpdesk is a big factor here. I don't see many ISP's putting money and resources into an abuse helpdesk and this is because it is low cost to obtain a Netblock so why should one employ and build expertise on managing it. If you go to SpamHaus you will see a major ISP and their netblocks listed and associated with known spammers. What is this ISP doing about this? Nothing! My guess is that they look at their bottom $$ and look at Spamming customer A and say "crap we will be spending $$$ on this customer just to get them off SpamHaus so just leave it, we are afterall in the bandwidth business". If ARIN were to say to this major ISP that they wont allocate more addresses to them until they adhere to an AUP then maybe the game will change but the bigger question here is should ARIN get into this kind of policy.

Zaid

I think costs of maintaining an abuse helpdesk is a big factor here. I don't
see many ISP's putting money and resources into an abuse helpdesk and this
is because it is low cost to obtain a Netblock so why should one employ and

have you ever had to re-number a customer, several customers, a
hundred?? 'getting a new netblock is low cost' is hardly an accurate
statement, especially if you keep in mind that you have to justify the
usage of old netblocks in order to obtain the new one.

build expertise on managing it. If you go to SpamHaus you will see a major
ISP and their netblocks listed and associated with known spammers. What is
this ISP doing about this? Nothing! My guess is that they look at their

'nothing' that you can see? or nothing? or something you can't see or
that's taking longer than you'd expect/like? There certainly are bad
actors out there, but I think the majority are doing things to keep
clean, perhaps not in the manner you would like (or the speed you
would like or with as much public information as you'd like).

From the outside most ISP operations look quite opaque, proclaiming

'Nothing is being done' simply looks uneducated and shortsighted.

bottom $$ and look at Spamming customer A and say "crap we will be spending
$$$ on this customer just to get them off SpamHaus so just leave it, we are
afterall in the bandwidth business". If ARIN were to say to this major ISP
that they wont allocate more addresses to them until they adhere to an AUP
then maybe the game will change but the bigger question here is should ARIN
get into this kind of policy.

doubtful that: 1) arin would say this (not want to be net police), 2)
isp's couldn't show (for the vast majority of isps) that they are in
fact upholding their AUP.

-chris

so... this thread has a couple of really interesting characteristics.
a couple are worth mentioning more directly (they have been alluded to elsewhere)...

as always, despite your choice in floral patterned shirts good
comments/questions.

   Who gets to define "bad" \- other than a blacklist operator?
   Are the common, consistent defintions of "contamination"?

nope, each BL (as near as I can tell) has their own criteria (with
some overlaps to be certain) and they all have their own set of rules
that they either break at-will or change when it suits them. Their
incentives are not aligned with actually getting the problem resolved,
sadly... and they really don't have any power to resolve problems
anyway.

   If these are social/political \- recognise that while the ARIN
   region is fairly consistent in its general use and interpretation
   of law, there are known varients \- based on soveriegn region\.

Yup, you don't like my business how about I move to the caymans where
it's no longer illegal? The Internet brings with it some
interesting judicial/jurisdictional baggage.

this whole debate/discussion seems based on the premise that there are well
known, consistent, legally defendable choices for defining offensive behaviours.
and pretty much all of history shows us this is not the case.

There are really two discussions, I think somewhere along the path
they were conflated:

1) newly allocated from IANA netblocks show up to end customers and
reachability problems ensue. (route-filters and/or firewall filters)

2) newly re-allocated netblocks show up with RBL baggage (rbls and
smtp blocks at the application layer)

For #1 there was some work (rbush and prior to that Jon Lewis
69block.org?) showing that folks 'never' alter their 'bogon route
filters' or 'bogon access-list entries'.

For #2 ARIN may have a solution in place, if it were more publicly
known (rss feed of allocations, care of RS and marty hannigan
pointers) that RBL operators could use to clean out entries in their
lists providing a better service to their 'users' even, perish the
thought!

   \(is or is not a mother nursing her child in public pornographic?\)

or SI Swinsuit edition depending on the part of the world you are in,
yes, or even YouTube videos, weee!

So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is only
going to be able to tell you a few things about the prefix you have been handed.

   a\) its virginal \- never been used \(that we know of\)
   b\) its been used once\.
   c\) it has a checkered past

I actually don't think it's a help for ARIN to say anything here,
since they can never know all the RBL's and history for a netblock,
and they can't help in the virginal case since they don't run
network-wide filters.

A FAQ that says some of the above with some pointers to testing
harnesses to use may be useful. Some tools for network operators to
use in updating things in a timely fashion may be useful.
Better/wider/louder notification 'services' for new block allocations
from IANA -> RIR's may be useful.

Not everyone who runs a router reads their local 'nog' list... Leo
Vegoda does a great job tell us about RIPE allocations, Someone does
the same for ARIN (drc maybe??) and I'm not certain I recall who's
last announced APNIC block yahtzee. Where else is this data
available? In a form that your avg enterprise network op may notice?

and it will be up to the receipient to trust/accept the resource for what it
currently is or chose to reject it and find soliace elsewhere.

'solace elsewhere'... dude there is no 'elsewhere'.

-Chris
(and yes, I'm yanking your chain about the shirts...)

>
> so... this thread has a couple of really interesting characteristics.
> a couple are worth mentioning more directly (they have been alluded to elsewhere)...

as always, despite your choice in floral patterned shirts good
comments/questions.

  humph... at least I wear pants.

>
> Who gets to define "bad" - other than a blacklist operator?
> Are the common, consistent defintions of "contamination"?

nope, each BL (as near as I can tell) has their own criteria (with

  trick question... each ISP gets to define good/bad on their
  own merits or can outsource it to third parties.

1) newly allocated from IANA netblocks show up to end customers and
reachability problems ensue. (route-filters and/or firewall filters)

2) newly re-allocated netblocks show up with RBL baggage (rbls and
smtp blocks at the application layer)

  you forgot #3 ... a "clean" IANA block that was "borrowed"
  for a while .. and already shows up in some filter lists.

> So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is only
> going to be able to tell you a few things about the prefix you have been handed.
>
> a) its virginal - never been used (that we know of)
> b) its been used once.
> c) it has a checkered past

I actually don't think it's a help for ARIN to say anything here,
since they can never know all the RBL's and history for a netblock,
and they can't help in the virginal case since they don't run
network-wide filters.

  not RBL specific ...

  a) this block came directly from IANA and has never been previously allocated
     in/through the IANA/RIR process
  b) this block has had one registered steward in recorded history
  c) this block has been in/out of the RIR/registry system more than once.

A FAQ that says some of the above with some pointers to testing
harnesses to use may be useful. Some tools for network operators to
use in updating things in a timely fashion may be useful.
Better/wider/louder notification 'services' for new block allocations
from IANA -> RIR's may be useful.

  indeed - I'd like to see the suite extended to the ISPs as well, esp
  if such tricks will be used in v6land...

last announced APNIC block yahtzee. Where else is this data
available? In a form that your avg enterprise network op may notice?

  oh... I'd suggest some of the security lists might be a good
  channel.

> and it will be up to the receipient to trust/accept the resource for what it
> currently is or chose to reject it and find soliace elsewhere.

'solace elsewhere'... dude there is no 'elsewhere'.

  and yet... Jimmy and Warren Buffet will tell you its always 1700 somewhere....
  and if that doesn't work, whip out the NAT and reuse 10.0.0.0 -again-....

>
> so... this thread has a couple of really interesting characteristics.
> a couple are worth mentioning more directly (they have been alluded to elsewhere)...

as always, despite your choice in floral patterned shirts good
comments/questions.

   humph\.\.\. at least I wear pants\.

you have something against skirts? or dresses? always with the pants
with you!! <shakey fist>

>
> Who gets to define "bad" - other than a blacklist operator?
> Are the common, consistent defintions of "contamination"?

nope, each BL (as near as I can tell) has their own criteria (with

   trick question\.\.\. each ISP gets to define good/bad on their
   own merits or can outsource it to third parties\.

sure... outsourcing in this case often happens without a real business
relationship.

1) newly allocated from IANA netblocks show up to end customers and
reachability problems ensue. (route-filters and/or firewall filters)

2) newly re-allocated netblocks show up with RBL baggage (rbls and
smtp blocks at the application layer)

   you forgot \#3 \.\.\. a "clean" IANA block that was "borrowed"
   for a while \.\. and already shows up in some filter lists\.

ok... but we can't ever really know that Verizon uses 114/8 and 104/8
internally can we? (and has/may leak this to external parties on
occasion by mistake)

> So - I suspect that in the end, a registry (ARIN) or an ISP (COMCAST) is only
> going to be able to tell you a few things about the prefix you have been handed.
>
> a) its virginal - never been used (that we know of)
> b) its been used once.
> c) it has a checkered past

I actually don't think it's a help for ARIN to say anything here,
since they can never know all the RBL's and history for a netblock,
and they can't help in the virginal case since they don't run
network-wide filters.

   not RBL specific \.\.\.

   a\) this block came directly from IANA and has never been previously allocated
      in/through the IANA/RIR process
   b\) this block has had one registered steward in recorded history
   c\) this block has been in/out of the RIR/registry system more than once\.

Ok, is this in the final email from hostmaster@ to 'enduser@'? or
somewhere else? what's the recourse when someone says: "But I don't
want a USED netblock, it my have the herp!"

I'm trying to see if ARIN can say something of use here without
raising its costs or causing extra/more confusion to the end-site(s).

A FAQ that says some of the above with some pointers to testing
harnesses to use may be useful. Some tools for network operators to
use in updating things in a timely fashion may be useful.
Better/wider/louder notification 'services' for new block allocations
from IANA -> RIR's may be useful.

   indeed \- I'd like to see the suite extended to the ISPs as well, esp
   if such tricks will be used in v6land\.\.\.

last announced APNIC block yahtzee. Where else is this data
available? In a form that your avg enterprise network op may notice?

   oh\.\.\. I'd suggest some of the security lists might be a good
   channel\.

sure, most of those folks also read nanog-l, this won't also reach
enterprise folk... (admittedly it's hard to reach 'everyone', but
spammers seem to be able to...)

> and it will be up to the receipient to trust/accept the resource for what it
> currently is or chose to reject it and find soliace elsewhere.

'solace elsewhere'... dude there is no 'elsewhere'.

   and yet\.\.\. Jimmy and Warren Buffet will tell you its always 1700 somewhere\.\.\.\.
   and if that doesn't work,  whip out the NAT and reuse 10\.0\.0\.0 \-again\-\.\.\.\. :\)

ha...

-chris

Christopher Morrow wrote:

Spammers have a lot of variables to change in this equation, RIR's
dont always have the ability to see all of the variables, nor
correlate all of the changes they see

Being a crimnal enterprise there are some tools in your kit that a
legitimate business does not have. The problems becomes, how the
raising the legitimacy bar more effectively discriminates against
legitimate entities then crimnal one's.

If a discriminatory measure were for example to raise the bar for new
entrants that, by it's nature represents an Internet scale tragedy.

joel

Christopher Morrow wrote:

Spammers have a lot of variables to change in this equation, RIR's
dont always have the ability to see all of the variables, nor
correlate all of the changes they see

Being a crimnal enterprise there are some tools in your kit that a
legitimate business does not have. The problems becomes, how the

that was my point, yes.

raising the legitimacy bar more effectively discriminates against
legitimate entities then crimnal one's.

If a discriminatory measure were for example to raise the bar for new
entrants that, by it's nature represents an Internet scale tragedy.

I think we are in agreement on this issue, and the above actually.

-Chris

> and it will be up to the receipient to trust/accept the resource for

what it

> currently is or chose to reject it and find soliace elsewhere.
>

'solace elsewhere'... dude there is no 'elsewhere'.

"elsewhere" = "designated transfer"

Do you get a premium for a "clean" /18?

Lee

Shawn Somers wrote:

Anyone that intentionally uses address space in a manner that they
know will cause it to become contaminated should be denied on any
further address space requests.

I couldn't disagree more with this kind of heckler's veto proposal. RBL
operators should not be permited to set registry policy, even indirectly.

The point of an RBL is that it operates consensually. I choose to use an RBL
to filter something because I agree with the RBL's policy decisions. There
is nothing inherently wrong with being added to an RBL, it simply indicates
that the RBL's operators felt you met their policy for inclusion.

If someone wants to make an RBL that lists people with "bad ideas", they are
welcome to. Those who agree with them can have a "bad idea"-free internet.
But it does not follow that there's any reason to punish those on the RBL,
even if they do so intentionally, and even if that RBL listen would burden
other owners of the block.

Of course, they should not be permitted to launder their blocks either. Just
as registries should not impose costs on people just for getting listed in
an RBL, they should not impose costs on RBL-operators by helping people
evade earned listings and forcing re-listings.

DS

[ engage cynical mode]

It's the responsibilty of all operations to ensure that they're not
persistent or egregious sources of abuse. *Some* operations handle that
reasonably well, but unfortunately many do not -- which is why there
are now hundreds of blacklists (of varying intent, design, operation,
and so on).

If ISPs et.al. were doing their jobs properly, there would be no need
for any of these to exist. But they're not, which is why so many people
have taken the time and trouble to create them. Overall ISP performance
in re abuse handling is miserable and has been for many years, and that
includes everything from a lack of even perfunctory due diligence ("30
seconds with Google") to failure to handle the abuse role address properly
and promptly to alarming naivete' ("what did you THINK they were doing
with an entire /24 full of nonsense domain names?") to deployment of
"anti-spam" measures that make the problem worse and inflict abuse on
third parties to...

This is hardly surprising: there are few, if any, consequences for
doing so, and of course it's far more profitable to not just turn a
blind eye to abuse (which used to be common) but moreso these days to
actively assist in it with a smile and a wink and a hand extended for the
payoff, while simultaneously making a public show of "deep concern" and
issuing press releases that say "We take the X problem seriously..." and
participating in working groups that studiously avoid the actual problems
-- or better yet, which invite well-known/long-time abusers to have a
seat at the table.

---Rsk