nanog mailing list archives
Re: Abuse procedures... Reality Checks
From: Warren Kumari <warren () kumari net>
Date: Wed, 11 Apr 2007 13:32:20 -0400
On Apr 11, 2007, at 11:28 AM, J. Oquendo wrote:
Valdis.Kletnieks () vt edu wrote:* PGP Signed by an unverified key: 04/11/07 at 11:21:15 On Wed, 11 Apr 2007 07:07:19 EDT, "J. Oquendo" said:these so called rules? Many network operators are required to do a lot of things, one of these things should be the mitigation of malicious traffic from LEAVING their network.And I want a pony.We don't even do a (near) universal job of filtering rfc1918 addresses and spoofed addresses. We aren't filtering obvious bogon packets, howdo you propose we filter less obvious malicious traffic (is that SYN packet legit, or part of a DDOS, or just a slashdotting of a suddenly popular site?). * Valdis Kletnieks <valdis.kletnieks () vt edu> * 0xB4D3D7B0 - UnverifiedWhen you say we, speak for yourself and your own networks. There ARE some people who do take the time to properly design their networks.
And I would suggest that Valdis is one of them.... From my reading of his message I understood that: A: Some people filter bad stuff. B: Some people don't.I don't think that it is unreasonable that he used "we " to include all network engineers -- "we" as a community does include A and B
It is thesame "Well since Billy didn't do it neither will I" attitude that makesme never think twice about blocking CIDR's.
So, I have always wondered -- how do you customers really react when they can no longer reach www.example.com, a site hosted a few IPs away from www.badevilphisher.net? And do you really think that you blocking them is going to make example.com contact their provider to get things fixed?
Since 'THEY' (your "WE") didn't properly configure their network, whyshould I think twice about letting it into my backyard. I guess its callingfor too much for network operators to actually do their work though
Have you considered that being a little politer and not insulting everyone on the list might be a more constructive way of getting your point across -- if I were to call you a "big, fat, doodoo head" you would probably be less receptive than if I didn't...
and Iguess considering IPv6 is like how many years away now, I can expect that much of a wait for people to implement what should have been done from theonset.I don't care how filtering gets done from someone else. Like I said if Ican watch and control what comes out of my networks using raw tools onnix machines, you cannot with a straight face/typing method tell me that someone at one of these big providers can't clue themselves in to gettingmalicious traffic controlled. Should someone want to comment about "oh golly the cost is outrageous" I say bs... Its utter laziness from my eyes. So here I go politelypointing it out... If I can do it with a couple of thousand machines onmy VERY OWN, not a "team", not a "department" but me, in a matter of minutes, situate my network to not send out crap, then why can't these companies?
Yes, it is great that you are doing your bit to help keep the net clean. Congratulations and thank you. Perhaps you could write a nice, simple, friendly guide explaining how you ensure that your network is never the source of malicious traffic? And how this can be scaled up to work in a large, backbone network where? Perhaps you could politely contact those who are not doing their bit and, in a helpful manner explain how they could improve -- educating and encouraging change in those who are not doing their bit is much more likely to make things better than screaming "You suck, I'm not going to accept your packets, nah nah nah."
I'd like to here something logical, not someone's opinion. Something like "According to ARIN/IEEE specifications of foobarfoo, operators are not allowed to view traffic entering or leaving their networks" which hinders this. There is no reason I could think of, no scenario I could imagine, that would prohibit network operators from putting the nail in the coffin with stuff LEAVING THEIR NETS. Note the word LEAVING now. If it doesn't leave, you wouldn't have complaints from some other operator now would you. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
I suspect that I should have just stayed out of this thread.... W --"Go on, prove me wrong. Destroy the fabric of the universe. See if I care." -- Terry Prachett
Current thread:
- RE: Abuse procedures... Reality Checks, (continued)
- RE: Abuse procedures... Reality Checks Frank Bulk (Apr 09)
- RE: Abuse procedures... Reality Checks Azinger, Marla (Apr 09)
- Re: Abuse procedures... Reality Checks Valdis . Kletnieks (Apr 09)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 10)
- Re: Abuse procedures... Reality Checks Joseph S D Yao (Apr 10)
- Re: Abuse procedures... Reality Checks Stephen Satchell (Apr 10)
- Re: Abuse procedures... Reality Checks J. Oquendo (Apr 11)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 11)
- Re: Abuse procedures... Reality Checks Valdis . Kletnieks (Apr 11)
- Re: Abuse procedures... Reality Checks J. Oquendo (Apr 11)
- Re: Abuse procedures... Reality Checks Warren Kumari (Apr 11)
- Re: Abuse procedures... Reality Checks J. Oquendo (Apr 11)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 11)
- Re: Abuse procedures... Reality Checks Douglas Otis (Apr 11)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 11)
- Re: Abuse procedures... Reality Checks Warren Kumari (Apr 11)
- Re: Abuse procedures... Reality Checks Rich Kulawiec (Apr 11)
- RE: Abuse procedures... Reality Checks michael.dillon (Apr 11)