Re: Abuse.cc ???

[joej () Rocknyou com]

Jacks right on the money there. Traffic being generated and directed
to my network uses bandwidth, something I/my company pays for. 
Since its a cost I am tasked to prove/disprove its benefit, so.
Perhaps if one isn't probing and/or reporting utilization trends and usage
this would not be so much an issue, but on my networks it is. If I were to take the
stance of "oh but its not hurting anything" you bet most of my IPOPs would
look like ripe pickings for the masses of kiddie scripters/hackers.
Its part of the job to police and keep clean the networks I'm responsible
for. As well I do the inverse, if I get a complaint about some activity from 
within one of my netblocks I do my best to follow up on it and see its not some
new "feature" of M$ or a fat fingered configuration somewhere. I actually welcome 
the complaint as it may bring to my attention something/one that is gone wrong.
Granted I'm not about to nit pick a few packets type in error by some poor sap on AOL, but in this case over 400 would 
enlighten a response to you/your provider.
Perhap this is "old school" thinking but in my model of networks its a proven and
working theory.

Well just my 2¢s.
-Joe

/* "Well if all the bits are 1's then we charge more"
"Why is that?"
"Larger audience"                                     */
 
----- Original Message ----- 
From: "Jack Bates" <jbates () brightok net>
To: "Matthew S. Hallacy" <poptix () techmonkeys org>
Cc: "McBurnett, Jim" <jmcburnett () msmgmt com>; <nanog () merit edu>
Sent: Saturday, April 05, 2003 12:16 PM
Subject: Re: Abuse.cc ???


> Matthew S. Hallacy wrote:
> > How was this traffic causing harm to your network? I'd rather have them
> > dealing with people actively breaking into systems, DoS'ing, etc than
> > terminating some customer who's probably infected with the latest 
> > microsoft worm.
>
> Worm control is important. If we let them run rampant, then they will 
> build up to a critical mass and become DOS quality. One of my transit 
> customers was ignoring the worm reports I was sending him. Interesting 
> enough, he DOS'd his own routers as several of the people infected were 
> behind NAT generating 11,000 connections in less than a minute. Ever 
> seen a C3640 with 11,000 NAT translations? In this case, it's a customer 
> that didn't have high end equipment. If he'd had high end equipment, 
> then others would suffer the performance hit, not to mention extra noise 
> making it harder to detect purposeful scans and attacks. Some worms, 
> like Code Red, cause a DOS on web enabled equipment as well. The F 
> variant, for example, will shut down Net2Net dslams, some cisco 
> equipement, and I'm sure a lot of other things.
>
>
> -Jack