Re: Tier1 blackholing policy?

[Jared Mauch <jared () puck nether net>]

On Apr 30, 2013, at 2:50 PM, bmanning () vacation karoshi com wrote:

>       Phone?  You mean like Jitsi or Skype?
>       Fax?   
>
>       I'd like to see some numbers to back your assertion of "Typical" restoration
>        times of days.

my vendors deliver software fixes for "BGP" doesn't work in weeks, so I think that the following timeline and process 
I'm going to outline exceeds their BGP problems.

0 hour - Issue Reported
0-24 hours - triage; send to customer/internal customer to mitigate/remediate
25-48 hours - Customer responds, host taken down if hacked, etc..
48-96 hours+ - If no response, IP null0'ed per AUP as network security risk
48-96 hours is also where the customer freaks out and quickly fixes their problem to come in compliance with AUP.

This is a natural process.  Null0 or ACLs don't stay up for days or weeks on end.  That doesn't mean this catches 100% 
of all cases, but many ISPs get a daily report of phishing sites and malware hosted on their network each morning.  You 
can get one too!

http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

You can get a daily ATLAS report from Arbor as well: http://atlas.arbor.net/ (Although I can't get anyone to fix a 
problem with it, so anyone there can email me if you have the power to fix it).

There are other aggregators of data as well, such as SIE.  If you don't know the health of your network, take a look.  
Many folks will email you these reports automatically, or provide you a direct feed (some in realtime, such as SIE).

- Jared