Re: de-peering for security sake

[Ca By <cb.list6 () gmail com>]

On Saturday, January 16, 2016, Patrick W. Gilmore <patrick () ianai net> wrote:

> On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <rsk () gsp org <javascript:;>>
> wrote:
> > On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
>
> > > I see a great deal of folks on nanog clamoring to buy ddos gear. Packets
> > > are starting to become like spam email, where 90% are pure rubbish,
>  and
> > > us good guys have to spend a lot of money and time sorting signal from
> > > noise.
> >
> > I've said this many times: abuse does not magically fall out of the sky.
> > It comes from hosts, on networks, run by people.  It is time -- well
> > past time -- to hold those people *personally* acountable.
> >
> > Not doing so leaves us where we are today: millions -- heck, hundreds
> > of millions -- of dollars are being spent on defenses THAT WOULD NOT
> > BE NECESSARY if those people performed their jobs at a mere baseline
> > level of competence and diligence.
>
> Shared fate systems suck in some ways. But I disagree that “a mere
> baseline level of competence and diligence” is even close to what is
> required.
>
> Making the owner of the host responsible for an attack -personally-
> responsible would require every grandma & 6 year old to have insurance
> before buying a laptop or Xbox. And would bankrupt your favorite startup no
> matter how smart & competent the first time a zero-day caught them by
> surprise.
>
> Of course, forcing Uncle Bob to call his insurance carrier before buying a
> smartphone, and having San Hill Road take even greater risks when
> investing, and giving lawyers yet another vector for frivolous lawsuits,
> wouldn’t have the slightest effect on the global economy.
>
> On the other hand, that 100s of millions of dollars is a rounding error in
> the wealth & public good created by that same shared fate system.
>
> Overall, I think we’re doing well.
>
>
> Before anyone pounces on me, I hate spam, dos, etc. as much as anyone
> else. (You know how much personal, unpaid time I’ve put into fighting both,
> Rich.) If we can find the originators of these things, we should hang them
> by their thumbs and beat them senseless. We should do everything we can to
> make ISPs implement BCP38, get software vendors to QA better, and educate
> users to be less, well, idiotic.
>
> But I am also pragmatic. Life sucks, it is not fair. But the idea of
> making either grandma or the network engineer at an ISP or even the CEO of
> a hosting company personally responsible for things like zero-days or minor
> errors which can be exploited to the tune of greater than their personal
> wealth or even their corporate market cap is a recipe for bringing
> everything to a screeching halt.
>
> I kinda like the ride we’re on, bumps and all. Let’s not bring it to a
> screeching halt.
>
> --
> TTFN,
> patrick
Tar and feather bad, yes.

Name and shame so i can sick my "enterpise account manager" on the shamed =
good.

For example, i have an aws account manager.  He likes to come in quartly
and tell me and the exec team about how great aws is and how we need to buy
more reserved instances.   Like with ipv6, I will make his life hell with
my execs on our quartly business review citing spamhaus. My account manager
will squeel in a very unsatifying way, but he will muster his sales org
muscle to pass on the discomfort to the folks who can increase
accountability and address abuse internally.

That is how transparency and accountability work, put $ and reputation on
the line with big spenders.

So, thanks Spamhaus.

Now, looking at the ddos protection folks to do something similar so we can
get to the root of this ddos epidemic instead of constantly applying
network chemo

CB