Re: GoDaddy.com shuts down entire data center?

["Micheal Patterson" <micheal () tsgincorporated com>]

----- Original Message ----- 
From: "Patrick W. Gilmore" <patrick () ianai net>
To: <nanog () nanog org>
Cc: "Patrick W. Gilmore" <patrick () ianai net>
Sent: Tuesday, January 17, 2006 1:09 AM
Subject: Re: GoDaddy.com shuts down entire data center?


> On Jan 17, 2006, at 1:32 AM, Jim Popovitch wrote:
>
> > I want to say, from an outsider's perspective, that I whole  heartily 
> > applaud GoDaddy on the actions they took [...]
>
> There seems to be a wide split on this topic.  I was wondering if  people 
> would privately tell me yes or no on a few questions so I can  understand 
> the issue better.
>
> 1) Do you think it is acceptable to cause any collateral damage to 
> innocent bystanders if it will stop network abuse?

If the damage of the persistant abuse is greater than the lost of the 
innocent persons, yes.

> 2) If yes, do you still think it is acceptable to take down 100s of 
> innocent bystanders because one customer of a provider is misbehaving?

Yes I do and more than likely, so do you. If you are a common end point for 
all of my users and I'm the common end point for yours, either of us has the 
right to deny access to the other at any point for no reason really. Now, 
should your network start flooding me or vice versa, one of us, if not both, 
will toss up some filters. If either of our networks is larger than the 
other and causing a dos for the other end, the effected one of us would have 
no recourse but to contact the upstream of the source point and request 
assistance.

> 3) If yes, do you still think it is acceptable if the "misbehaving" 
> customer is not intentionally misbehaving - i.e. they've been hacked?

Intentional or not, it doesn't negate the fact that the system has been 
hacked and is now owned by someone other than the actual owner. If one of my 
systems were to be hacked and I miss it, and it starts causing problems for 
your network, I expect my network to be filtered.  If your filters aren't 
effective enough to deal with the issue, and I'm not helping you to correct 
the problem, I expect you to go to my carrier to file a complaint.

> 3) If yes, do you still think it is acceptable if the collateral  damage 
> (taking out 100s of innocent businesses) doesn't actually stop  the spam 
> run / DoS attack / etc.?

There is no simple yes / no for this one. It would depend on the 
circumstances of the issue.

<snip>
> Using the case under discussion as an example, I am wondering why  anyone 
> thinks taking down 100s of innocent domains is a good way to  stop a 
> single hacked machine from doing whatever it is doing?  If you  somehow 
> think all that is worth it, take a close look at your cost /  benefit 
> analysis.  At this rate, every business on the Internet will  be out of 
> business before we take out even a single moderately large  botnet.

You can wonder why, however I, IMHO, think that if more carriers would take 
that stance, then the problems that we face daily would be much less severe. 
Currently, there's not much to keep the big players in check when it comes 
to their network. Now, imagine, what could happen if they were forced to 
play by the same rules that we have to go by? If our network is causing 
problems, our uplink(s) have the authority to disconnect them for that 
generally. Can you see Sprint, SBC/AT&T, L3, Cogent, AOL, Cox, etc having 
those same rules applicable to them or be depeered from all peers and become 
network dead? Now, is it feasible to do such a thing? Not usually because it 
causes financial issues on both sides of the depeering. That's because the 
internet that we have is used as a means of financial gain and isn't geared 
for being easily segregated in the event of compromise. Yet, that's the 
current mechanism for a compromised end user. The same means should be used 
all the way to the NAP imo.

> I am also wondering why anyone thinks the miscreant will stop just 
> because the legitimate owner's domain no longer resolves?  Not only  is 
> the machine likely to continue sending spam as if nothing  happened, we 
> aren't even "catching" the guy.  I guess you could say  "well, it put 
> pressure on his hosting provider to clean the infected  machine", which is 
> true.  I just think that's a bit silly.  But maybe  I'm the one who's 
> silly.

Why should you or I be the ones responsible for catching the miscreant when 
the compromised system isn't on our network? If it were, then that task 
would fall to us to do so. If the threat of a delinking were over our heads, 
we'd have some major incentive to find the idiot and make sure he's not on 
our net anymore wouldn't we.

> Lastly, I wonder what "average" people - people who run businesses on 
> hosting providers who really don't understand all this computer stuff  - 
> think about such actions.  How many 100s of people have we just  alienated 
> for life to stop - er, NOT stop - a single zombie?  And how  many of their 
> friends are going to hear over an over how the Internet  is not a real 
> business and no one should put any faith in it?

Average people think email is secure.
Average people think that email is instant.
Average people think that updates and patches are a hinderance and not 
necessary.
Average people think that the internet is flawless.
Average people think that their current provider is the internet.
Average people don't care what happens outside of their cable/dsl modem or 
their linksys/dlink router.
Average people just want it to work and don't want to know what's behind the 
scenes to make the *magic*.

> Is this really a good thing?

Yes, they need to know that the net is like a shark in the water. It may not 
get you today, tommorrow or never. But that doesn't mean you want to swim in 
shark infested waters without taking proper precautions.

> --
> TTFN,
> patrick

:)

Mike P.