Last post for me on this thread... Dirty Networking 101
So the other morning I found a contact for a company who'll for
now remain unamed, this contact is on this group...Sent them
yet another message (3 this week):
new message
To whom it may concern,
One of my servers has been heavily under
On Sat, Apr 07, 2007 at 05:12:19PM -0500, Frank Bulk wrote:
If they're properly SWIPed why punish the ISP for networks they don't even
punish?
Since when is it punishment to refuse to extend a privilege that's been
repeatedly and systematically abused? (You have of course, absolutely
no right
On Fri, 13 Apr 2007, Rich Kulawiec wrote:
Since when is it punishment to refuse to extend a privilege that's been
repeatedly and systematically abused?
It IS punishment if it's in response to some sort of undesired behavior,
but it probably isn't UNJUSTIFIED punishment.
--
Steve Sobol,
On Wed, 11 Apr 2007, Frank Bulk wrote:
It truly is a wonder that Comcast doesn't apply DOCSIS config file filters
on their consumer accounts, leaving just the IPs of their email servers
open. Yes, it would take an education campaign on their part for all the
consumers that do use alternate
Mikael Abrahamsson wrote:
On Wed, 11 Apr 2007, Frank Bulk wrote:
It truly is a wonder that Comcast doesn't apply DOCSIS config file
filters
on their consumer accounts, leaving just the IPs of their email servers
open. Yes, it would take an education campaign on their part for all
the
Citando Frank Bulk [EMAIL PROTECTED]:
but imagine how much work it
would save their abuse department in the long run
I think that Comcast trouble isn't has much has the company's affected I keep
the idea that the best is to rate limit incoming connections and a lot of
filtering to prevent
On Thursday 12 April 2007 06:14, Fernando André wrote:
Citando Frank Bulk [EMAIL PROTECTED]:
but imagine how much work it
would save their abuse department in the long run
I think that Comcast trouble isn't has much has the company's affected I
keep the idea that the best is to rate
Stephen Satchell wrote:
SWIPs are required for reallocations of /29 and larger if the
allocation owner does not operate a RWhoIs server.
Of course, SWIP is a ARIN thing, and you work for BRITISH
TELECOMMUNICATIONS PLC. As a US network operator, I was well aware of
the requirements for
SWIP is a process used by organizations to submit information about
downstream customer's address space reassignments to ARIN for
inclusion
in the WHOIS database. Its goal is to ensure the effective
and efficient
maintenance of records for IP address space.
Lovely language but it
Maybe ARIN staff should start re-writing policies and
implementing out punishments. Guarantee you if operators were
penalized for not following rules, for allowing filth to leave
their networks, I bet you many maladies on the net would be
cut substantially.
Sorry, that's not their job.
On Wed, 11 Apr 2007 07:07:19 EDT, J. Oquendo said:
these so called rules? Many network operators are required to
do a lot of things, one of these things should be the
mitigation of malicious traffic from LEAVING their network.
And I want a pony.
We don't even do a (near) universal job of
[EMAIL PROTECTED] wrote:
* PGP Signed by an unverified key: 04/11/07 at 11:21:15
On Wed, 11 Apr 2007 07:07:19 EDT, J. Oquendo said:
these so called rules? Many network operators are required to
do a lot of things, one of these things should be the
mitigation of malicious traffic from
On Apr 11, 2007, at 11:28 AM, J. Oquendo wrote:
[EMAIL PROTECTED] wrote:
* PGP Signed by an unverified key: 04/11/07 at 11:21:15
On Wed, 11 Apr 2007 07:07:19 EDT, J. Oquendo said:
these so called rules? Many network operators are required to
do a lot of things, one of these things should
Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when
they can no longer reach www.example.com, a site hosted a few IPs away
from www.badevilphisher.net? And do you really think that you blocking
them is going to make example.com contact their provider to
into the hundreds of thousands of
customers and can only imagine the big ass eyeball network's scalability
issues...
scott
--- [EMAIL PROTECTED] wrote:
From: J. Oquendo [EMAIL PROTECTED]
To: nanog@merit.edu
Cc: Warren Kumari [EMAIL PROTECTED]
Subject: Re: Abuse procedures... Reality Checks
Date
[EMAIL PROTECTED]
Subject: Re: Abuse procedures... Reality Checks
Date: Wed, 11 Apr 2007 13:49:40 -0400
Warren Kumari wrote:
So, I have always wondered -- how do you customers really react when
they can no longer reach www.example.com, a site hosted a few IPs
away
from www.badevilphisher.net
On Apr 11, 2007, at 10:32 AM, Warren Kumari wrote:
Perhaps you could write a nice, simple, friendly guide explaining
how you ensure that your network is never the source of malicious
traffic?
Identify your ownership, and ensure contact information is accurate
and well attended.
On Tue, Apr 10, 2007 at 07:44:59AM -0500, Frank Bulk wrote:
Comcast is known to emit lots of abuse -- are you blocking all their
networks today?
All? No. But I shouldn't find it necessary to block ANY, and wouldn't,
if Comcast wasn't so appallingly negligent.
( I'm blocking huge swaths of
On Wed, Apr 11, 2007 at 03:44:01PM -0400, Warren Kumari wrote:
The same thing happens with things like abuse -- it is easy to deal
with abuse on a small scale. It is somewhat harder on a medium scale
and harder still on a large scale -- the progression from small to
medium to large is
As for documentation on this... There is PLENTY of it. Why should
I write another document no one would follow.
Because you might be a better writer than those other folks. You might
be able to present the right balance of technical detail and policy
goals to be understood by a larger number
I know from experience this doesn't scale into the hundreds of
thousands of customers and can only imagine the big ass eyeball
network's scalability issues...
Hear hear...
Scaling process and procedures is often as hard or harder than
scaling technical things...
It's true. But
--- [EMAIL PROTECTED] wrote:
On Wed, Apr 11, 2007 at 03:44:01PM -0400, Warren Kumari wrote:
The same thing happens with things like abuse -- it is easy to deal
with abuse on a small scale. It is somewhat harder on a medium scale
and harder still on a large scale -- the progression from
it
would save their abuse department in the long run.
Frank
-Original Message-
From: Frank Bulk
Sent: Wednesday, April 11, 2007 5:10 PM
To: 'nanog@merit.edu'
Subject: Re: Abuse procedures... Reality Checks
On Tue, Apr 10, 2007 at 07:44:59AM -0500, Frank Bulk wrote:
Comcast is known to emit
I have to disagree. SWIP is not meaningless.
In my company some functions related to sending a SWIP are
automated, but my company has people on staff who know that
it is happening and what it means.
And I talk with plenty of other companies that fall into the
same boat.
In
On Sat, Apr 07, 2007 at 09:50:34PM +, Fergie wrote:
I would have to respectfully disagree with you. When network
operators do due diligence and SWIP their sub-allocations, they
(the sub-allocations) should be authoritative in regards to things
like RBLs.
After thinking it over: I
On Sat, Apr 07, 2007 at 04:20:59PM -0500, Frank Bulk wrote:
Define network operator: the AS holder for that space or the operator of
that smaller-than-slash-24 sub-block? If the problem consistently comes
from /29 why not just leave the block in and be done with it?
Because
Comcast is known to emit lots of abuse -- are you blocking all their
networks today?
Frank
-Original Message-
From: Frank Bulk
Sent: Tuesday, April 10, 2007 7:43 AM
To: nanog@merit.edu
Subject: Re: Abuse procedures... Reality Checks
On Sat, Apr 07, 2007 at 09:50:34PM +, Fergie
Because I haven't got unlimited WHOIS queries. (Although I
and everyone
else *should* have those. There are no valid reasons to
rate-limit any
form of WHOIS query.)
Yes there are. The current whois returns way more information on a query
than you need for network operations. That's
On Tue, Apr 10, 2007 at 03:11:31PM +0100, [EMAIL PROTECTED] wrote:
...
Yes there are. The current whois returns way more information on a query
than you need for network operations. That's because the current whois
was designed back in the 1970's so that ARPANET network managers could
On Tue, Apr 10, 2007 at 10:30:32AM +0100, [EMAIL PROTECTED] wrote:
...
I also find it curious that you claim to have people on staff at your
company who know what SWIP means. Perhaps you could ask them to share
that information with us since I have never seen this documented
anywhere. Do they
[EMAIL PROTECTED] wrote:
I also find it curious that you claim to have people on staff at your
company who know what SWIP means. Perhaps you could ask them to share
that information with us since I have never seen this documented
anywhere. Do they really know what you claim they know?
Pete Templin wrote:
John R Levine wrote:
I don't have PI space, but I do have a competent ISP so I've never
had any
mail problems due to adjacent addresses.
Having a competent ISP isn't a guarantee of exemption...only a
contributor. As evidenced by the discussion, some people choose the
I don't have PI space, but I do have a competent ISP so I've never had any
mail problems due to adjacent addresses.
Having a competent ISP isn't a guarantee of exemption...only a contributor.
As evidenced by the discussion, some people choose the scope of their wrath
arbitrarily.
Nothing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 9, 2007, at 1:49 PM, John L wrote:
I don't have PI space, but I do have a competent ISP so I've
never had any
mail problems due to adjacent addresses.
Having a competent ISP isn't a guarantee of exemption...only a
contributor. As
I would have to respectfully disagree with you. When network
operators do due diligence and SWIP their sub-allocations, they
(the sub-allocations) should be authoritative in regards to things
like RBLs.
How do you tell when they have actually done due diligence.
Existence of a SWIP record
like a good idea, but I'm guessing few network operators
do that for their customer networks, whether that's due to lack of
centralization or cost.
Frank
-Original Message-
From: Frank Bulk
Sent: Monday, April 09, 2007 3:49 PM
To: 'nanog@merit.edu'
Subject: RE: Abuse procedures... Reality
On Mon, 9 Apr 2007 [EMAIL PROTECTED] wrote:
If they're properly SWIPed why punish the ISP for networks
they don't even
operate, that obviously belong to their business customers?
How can you tell that they don't operate a network from SWIP records?
Seems to me that lots of network
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete
Templin
Sent: Monday, April 09, 2007 3:42 PM
To: Chris Owen
Cc: nanog@merit.edu
Subject: Re: Abuse procedures... Reality Checks
Chris Owen wrote:
Well, well managed to me would mean that allocations from that /20
were SWIPed or a rwhois
procedures... Reality Checks
I would have to respectfully disagree with you. When network
operators do due diligence and SWIP their sub-allocations, they
(the sub-allocations) should be authoritative in regards to things
like RBLs.
How do you tell when they have actually done due diligence
On Mon, 09 Apr 2007 17:11:28 EDT, Azinger, Marla said:
In my company some functions related to sending a SWIP are automated,
but my company has people on staff who know that it is happening and
what it means.
Just because *your* site has enough clue to get it right doesn't mean that
the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 9, 2007, at 3:41 PM, Pete Templin wrote:
Chris Owen wrote:
Well, well managed to me would mean that allocations from that /
20 were SWIPed or a rwhois server was running so that if any of
On Apr 8, 2007, at 9:03 PM, Paul Vixie wrote:
[EMAIL PROTECTED] (Douglas Otis) writes:
Good advise. For various reasons, a majority of IP addresses
within a CIDR of any size being abusive is likely to cause the
CIDR to be blocked. While a majority could be considered as being
half
On Mon, 9 Apr 2007, Paul Vixie wrote:
than you're describing. for example, this weekend two /24's were hijacked
and used for spam spew. as my receivebot started blackholing /32's, the
Why do you think they were hijacked ? At least for your second block:
1 71.6.213.103
I've
Neither I nor J. Oquendo nor anyone else are required to spend our
time, our money, and our resources figuring out which parts of X's
network can be trusted and which can't.
you should only spend resources on activities which will benefit you, of
course. research into a /N to find out
On Apr 7, 2007, at 11:27 PM, John Levine wrote:
[...]
I can assure you from
experience that any sort of automated RIR WHOIS lookups will quickly
trip volume checks and get you blocked,
Does this happen when you only query for the network information and
not the full contact information?
[EMAIL PROTECTED]
Subject: RE: Abuse procedures... Reality Checks
Date: Sat, 7 Apr 2007 16:20:59 -0500
If they can't hold the outbound abuse down to a minimum, then
I guess I'll have to make up for their negligence on my end.
Sure, block that /29, but why block the /24, /20
[EMAIL PROTECTED] (Douglas Otis) writes:
Good advise. For various reasons, a majority of IP addresses within a
CIDR of any size being abusive is likely to cause the CIDR to be blocked.
While a majority could be considered as being half right, the existence
of the bad neighborhood
Joe:
I understand your frustration and appreciate your efforts to contact the
sources of abuse, but why indiscriminately block a larger range of IPs than
what is necessary?
Here's the /24 in question:
Combined Systems Technologies NET-CST (NET-207-177-31-0-1)
207.177.31.0 -
On Sat, 07 Apr 2007, Frank Bulk wrote:
Joe:
I understand your frustration and appreciate your efforts to contact the
sources of abuse, but why indiscriminately block a larger range of IPs than
what is necessary?
Far too many times I've tried to contact those who have the DIRECT
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
I understand your frustration and appreciate your efforts to contact the
sources of abuse, but why indiscriminately block a larger range of IPs than
what is necessary?
1. There's nothing indiscriminate about it.
I often block
J. Oquendo wrote:
...
So to answer your question about fairness... It's not fair by any
means, but it is effective. I see it as follows...
Well, that's the reason why I have a gmail account and all my
customers have.
I can send even from my dynamic ip-address and still they
let me in.
They
On Sat, Apr 07, 2007 at 02:31:25PM -0500, Frank Bulk wrote:
I understand your frustration and appreciate your efforts to contact the
sources of abuse, but why indiscriminately block a larger range of IPs
than
what is necessary?
1. There's nothing indiscriminate about it.
I often
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 7, 2007, at 4:20 PM, Frank Bulk wrote:
Sure, block that /29, but why block the /24, /20, or even /8?
Perhaps your
(understandable) frustration is preventing you from agreeing with
me on this
specific case. Because what you usually see
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Rich Kulawiec [EMAIL PROTECTED] wrote:
1. There's nothing indiscriminate about it.
I often block /24's and larger because I'm holding the *network* operators
responsible for what comes out of their operation. If they can't hold
the outbound
On Sat, 7 Apr 2007, Fergie wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Rich Kulawiec [EMAIL PROTECTED] wrote:
1. There's nothing indiscriminate about it.
I often block /24's and larger because I'm holding the *network* operators
responsible for what comes out of their
to have clean customers.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
william(at)elan.net
Sent: Saturday, April 07, 2007 5:58 PM
To: Fergie
Cc: [EMAIL PROTECTED]; nanog@merit.edu
Subject: Re: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007
of every one of those subblocks did
not lead to any results.
Frank
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
william(at)elan.net
Sent: Saturday, April 07, 2007 5:58 PM
To: Fergie
Cc: [EMAIL PROTECTED]; nanog@merit.edu
Subject: Re: Abuse procedures
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- william(at)elan.net [EMAIL PROTECTED] wrote:
On Sat, 7 Apr 2007, Fergie wrote:
I would have to respectfully disagree with you. When network
operators do due diligence and SWIP their sub-allocations, they
(the sub-allocations) should be
Frank Bulk wrote:
[[Attribution deleted by Frank Bulk]]
Neither I nor J. Oquendo nor anyone else are required to
spend our time, our money, and our resources figuring out which
parts of X's network can be trusted and which can't.
It's not that hard, the ARIN records are easy to look up.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Stephen Satchell [EMAIL PROTECTED] wrote:
It's *very* hard to do it with an automated system, as such automated
look-ups are against the Terms of Service for every single RIR out there.
Exactly why is this hard to do?
I would think that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 7, 2007, at 11:00 PM, Fergie wrote:
I would think that it's actually very easy to do when
sub-allocations are SWIP'ed.
Not that I'm really defending this policy, but sub-allocations are
very often not SWIPed. I'd say 75% or more of the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Chris Owen [EMAIL PROTECTED] wrote:
On Apr 7, 2007, at 11:00 PM, Fergie wrote:
I would think that it's actually very easy to do when
sub-allocations are SWIP'ed.
Not that I'm really defending this policy, but sub-allocations are
very
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 7, 2007, at 11:41 PM, Fergie wrote:
Please read what I wrote:
I would think that it's actually very easy to do when
sub-allocations are SWIP'ed.
I cannot, and will not, presuppose that in cases when they are
not SWIP'ed that some kind of
[mailto:[EMAIL PROTECTED]
Sent: Saturday, April 07, 2007 5:44 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Abuse procedures... Reality Checks
Frank Bulk wrote:
[[Attribution deleted by Frank Bulk]]
Neither I nor J. Oquendo nor anyone else are required to
spend our time, our
@merit.edu
Subject: RE: Abuse procedures... Reality Checks
On Sat, 7 Apr 2007, Frank Bulk wrote:
If they're properly SWIPed why punish the ISP for networks they don't even
operate, that obviously belong to their business customers?
All ISPs have AUPs that prohibit spam (or at least I hope all of you
From: Frank Bulk [EMAIL PROTECTED]
Subject: RE: Abuse procedures... Reality Checks
Date: Sat, 7 Apr 2007 16:20:59 -0500
If they can't hold the outbound abuse down to a minimum, then
I guess I'll have to make up for their negligence on my end.
Sure, block that /29, but why block
BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a provider's
network are riddled with problems and 'which parts' are _not_?
I don't know the answer in your case, but in my case the answer is my
employer. More specifically, my employer pays me to block junk and let good
traffic*
@merit.edu
Subject: RE: Abuse procedures... Reality Checks
From: Frank Bulk [EMAIL PROTECTED]
Subject: RE: Abuse procedures... Reality Checks
Date: Sat, 7 Apr 2007 16:20:59 -0500
If they can't hold the outbound abuse down to a minimum, then
I guess I'll have to make up for their negligence
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Chris Owen [EMAIL PROTECTED] wrote:
On Apr 7, 2007, at 11:41 PM, Fergie wrote:
Please read what I wrote:
I would think that it's actually very easy to do when
sub-allocations are SWIP'ed.
I cannot, and will not, presuppose that in cases
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Apr 8, 2007, at 2:51 AM, Fergie wrote:
Again, a simple recursive WHOIS will show you sub-allocations if they
are properly SWIP'ed.
Define properly. The Cox addresses in my example are SWIPed. Are
they properly SWIPed? How could you tell
Sure, block that /29, but why block the /24, /20, or even /8?
Since nobody will route less than a /24, you can be pretty sure that
regardless of the SWIPs, everyone in a /24 is served by the same ISP.
I run a tiny network with about 400 mail users, but even so, my
semiautomated systems are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Chris Owen [EMAIL PROTECTED] wrote:
On Apr 8, 2007, at 2:51 AM, Fergie wrote:
Again, a simple recursive WHOIS will show you sub-allocations if they
are properly SWIP'ed.
Define properly. The Cox addresses in my example are SWIPed. Are
On Sat, 7 Apr 2007 20:41:19 -0500 (CDT)
Robert Bonomi [EMAIL PROTECTED] wrote:
BLUNT QUESTIONS: *WHO* pays me to figure out 'which parts' of a
provider's
network are riddled with problems and 'which parts' are _not_? *WHO* pays
me to do the research to find out where the end-user
it, block *all*
the IPs associated to the 'bad' ISP. Then at least you're consistent,
otherwise expanding to a /24 is just a half (or 1%) job or laziness.
Frank
-Original Message-
From: Frank Bulk
Sent: Saturday, April 07, 2007 10:45 PM
To: [EMAIL PROTECTED]
Subject: Re: Abuse procedures
On Sat, 7 Apr 2007, Chris Owen wrote:
And how do you know the difference? The Cox IP address is SWIPed. Its
even sub-allocated. The allocation is just a /19.
Exactly, so why not just block whatever the suballocation is? Would mean
that companies that properly SWIP their IP-blocks and put
75 matches
Mail list logo
