North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Q: What do ISPs really think about security issues?

  • From: Suresh Ramasubramanian
  • Date: Fri Jan 11 09:58:49 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=60g1yYCVHTHKNVLAkhkqjXsiCNkoztIeEgsvN72oJ2g=; b=fLiAcRRyCLONv86Vx02QHL9P9rSi42pWo7a/Tg+H+irTtU0PRhKum6s/RIbcdKmI0VQOxNheLCzZZhcgdj4f0LMbahWaxZFYCqkAB2Y58zrFNIRCBiM3pzpADUM4nJqSSKrGh0rcBeMuONGYz2aghlkuXOw9tiBsQ+tuoNx2ZtQ=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Cr415qFC4viauTXK6N/fXuJe9feSNxpLFv9XIRofGM3cb7+69aLnmrOrMcE2Swrh9fTjfqyNeYsyx4ydylVb3cewebqiOlK8r0xhOQlHmunQ8sA1OmONXau0e7Imi4/4+ELtIdqqXvGsThn9igL1tMBT/GZD6dCu1Ag+as38nq8=

On Jan 11, 2008 8:01 PM, Gadi Evron <ge@xxxxxxxxxxxx> wrote:

> Naturally, diversity is not *always* good, which is the second ammendment
> to the thinking process.

Yes, diversity is actually a good idea when everybody concerned is
aware of what the others are doing, and at least coordinate to some
extent if they are in the same space.

You aren't going to achieve some monolithic conference that will
become the go-to place for everything in this field, for sure.

> It is not about an holier than thou attitude, it's about understanding
> that the Internet is truly the only functioning anarchy, and that "doing"

Perhaps I ought to explain.

That remark was about at least some people / groups who routinely send
takedown notices.  Arrogance coupled with a sad lack of clue at one
end (lots of tier 1 techs, often outsourced to some place with far
more customer support clue than actual abuse desk clue, employed to
send alerts, without the least idea of how to send these)

One particular vendor that saw a nigerian create a free email account
dhl@[one of our domains], and went after our registrar trying to get
the domain itself canceled.  Some fun ensued when I emailed all that
to the VP of their parent company (for whom takedown services appears
to be a sideline, at best).  That lot has behaved themselves for a
while I must say

Another vendor who, after being given clear escalation paths, first
kept cc'ing our upstream abuse desk, and every role account OTHER than
abuse at our domain.  When they finally get enough clue hammered into
them to cc our abuse desk, they escalate to my work address within two
hours of that, demanding it be taken down.

Our abuse desk would handle tix within a business day, or even
earlier.  And email about phish takes priority right after (say) LE
requests that find their way there (instead of the special POC we
already have given most LE agencies).   So, escalating a manual
complaint after two hours is a bit thick, I'd say.

Anyway, that particular vendor  got told to take a hike, told that we
wouldnt accept any further reports from them (and that our automated
scripts kill about 20 for every one that they report anyway), and that
we'd contact the one client they seem to send these alerts for
directly and set up something more automated, where they could send us
a list (in a standard format, and verified at their end) and we'd take
it down automatically.  Of course with manual review later.

Neither of those two takedown services (especially not the one in #2)
is going to get anything like this offered to them.  Not until they
actually learn to play nice with other ISPs.  Which comes right back
to Sean's remark that I replied to.

Sorry for the long emails, but I do wish more takedown services (and
more abuse / security desks) would read the MAAWG abuse desk best
practice document ..

http://www.maawg.org/about/publishedDocuments/Abuse_Desk_Common_Practices.pdf

--srs
-- 
Suresh Ramasubramanian (ops.lists@xxxxxxxxx)