North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Abuse procedures... Reality Checks
Warren Kumari wrote:
You confused two things.
1) I do my best to stop malicious traffic from leaving my network. With this said, if someone cannot get out somewhere, they're obviously going to get in touch with me as to why. Once this is done, it is explained to them that either their machine, or a machine on their network was doing something fuzzy therefore they were blocked. Most are actually thankful that it was pointed out to them as opposed to having to wait for Security Company X to update its virus/spamware definitions.
2) I do not block getting TO company X at first signs of garbage coming into my network from them. I've always contacted someone to some degree so don't misconstrue my actions as "I block the first packets I see." On the contrary I only block CIDR's after about 3 attempts at getting someone to assess their network. After that, I begin with services. This is my network so this is how it pans out... Spam? A CIDR to my email ports are blocked. SSH brute forcing, etc., those ports are blocked. Network who's blocked on ports continues, everything is then blocked.
What does being polite and "matter of factly" have to do with administrators cleaning up their networks? Should I beg an administrator of some network to be polite and not refer me to their generic abuse desk who'll do nothing about the issue?
I actually am a little too polite in the fact that 1) I'm doing network operators a favor pointing them out to rogue hosts on THEIR networks not mines. If they want to continue hosting said rogue idiots, their problem. I won't be allowing it into my range. If you knew me personally, or have dealt with me, I can guarantee you within minutes of you contacting me for something I would be on it. I as an admin/engineer whatever you want to call me would want to make sure that nothing internal to me is affecting anyone else since it is likely to make things more difficult for me if left unchecked.
So on issues of politeness, I am being polite contacting people. I'm being double polite posting evil doing networks on my personal site so others can be aware that "These networks are infected. Here are there hosts if you want to block them." I do this on my own spare time, my own expense, and my own filtering of the denials of service that ensue when some botnet reject sees me post a percentage of his botnet. So please don't my messages as anything other than "Hey... When is someone going to deal with this?" frustration targeted at those with the power to do actually something about it instead of waiting for someone else to take the first move.
Analogy: You live in a house and sweep your property. Your neighbors don't. Would you stop sweeping your house? Would you keep your house dirty simply because the majority around you do? I'm sure if you convinced the most visible neighbor to make a change, the others would follow suit. Heck in some areas those neighbors who didn't comply would face fines after some point. Why not bring this chain of thought to a network you maintain/manage.
As for documentation on this... There is PLENTY of it. Why should I write another document no one would follow. If some can't follow normal standards set by governmental bodies (for lack of better terms), what makes you think someone would say "Gee... That Oquendo sure wrote a nice document... Let me follow it" How about following standards and using good old fashioned common sense.
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams