On 2020-04-29 17:51, Mukund Sivaraman wrote:
On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
What if I am at home, and while working on a project, fire off a wide
ranging nmap against say a /19 work network to validate something
externally? Should my ISP detect that and make a decision that I shouldn't
be doing that, even though it is completely legitimate and authorized
activity? What if I fat fingered a digit and accidentally ran that same
scan against someone else's /19? Should that accidental destination of
non-malicious scans be able to file an abuse report against me and get my
service disconnected because they didn't like it?
Abuse departments should be properly handling LEGITIMATE abuse complaints.
Not crufty background noise traffic that is never going away.
Sure. Handling legitimate abuse complaints would be quite sufficient. :)
Mukund
Since this is a distributed network and there's not a central authority
to rule on each incident being legitimate, the only way to stay out of
the politics is to ignore people's abuse complaints. Someone's SSH
server is being spammed with probes? That's pretty low bandwidth, not
much threat to the network from a cracking script. Maybe you don't like
it, maybe it's criminal or whatever else, but ostensibly it's some
paying customer's traffic and it should be delivered unmolested. When
someone's infrastructure is getting packeted or having their routers
crashed repeatedly, they respond to that, usually without having to be
emailed, because it's actual abuse of their network. A lot of this
other stuff is just people abusing the abuse contacts to get someone
else taken offline. Phishing websites fall into this category - it's
not network abuse, it's just content someone doesn't like, and one way
to get it taken down is to threaten the network that carries the traffic
for it.
-Laszlo
