nanog mailing list archives

Re: Handling of Abuse Complaints

From: Hugo Slabbert <hugo () slabnet com>
Date: Mon, 29 Aug 2016 09:05:13 -0700

On Mon 2016-Aug-29 10:55:27 -0500, Jason Lee <jason.m.lee () gmail com> wrote:

NANOG Community,

I was curious how various players in this industry handle abuse complaints.
I'm drafting a policy for the service provider I'm working for about
handing of complaints registered against customer IP space. In this example
I have a customer who is running an open resolver and have received a few
complaints now regarding it being used as part of a DDoS attack.

My initial response was to inform the customer and ask them to fix it. Now
that its still ongoing over a month later, I'd like to take action to
remediate the issue myself with ACLs but our customer facing team is
pushing back and without an idea of what the industry best practice is,
management isn't sure which way to go.

I'm hoping to get an idea of how others handle these cases so I can develop
our formal policy on this and have management sign off and be able to take
quicker action in the future.

If you've informed them of the issue, given them time to resolve, andthey've failed to take action, at some point you need to escalate andcauterize the wound to prevent abuse traffic spewing forth from thecusotmer's (and subsequently your) network.

How you implement that specifically is your call, but I would at leaststart giving specific timelines to the customer and outline the steps thatwill be taken if they fail to remediate by those times in order to givethem fair warning.

I've been fairly specific previously about crafting filters to drop justthe offending traffic, which should be doable here given the vector, but inother cases where it was obvious the offending hosts were simplycompromised to hell and spewing myriad garbage traffic, I have cut usersoff completely to chop C&C access etc.


This was during time at a regional commercial ISP on business circuits.

--
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal


Thanks,

Jason

Attachment: signature.asc
Description: Digital signature

Current thread:

Handling of Abuse Complaints Jason Lee (Aug 29)
- Re: Handling of Abuse Complaints Hugo Slabbert (Aug 29)
- Re: Handling of Abuse Complaints William Herrin (Aug 29)
  - RE: Handling of Abuse Complaints Gareth Tupper (Aug 29)
    - Re: Handling of Abuse Complaints Paul Ferguson (Aug 29)
    - Re: Handling of Abuse Complaints Steve Atkins (Aug 29)
    - Re: Handling of Abuse Complaints William Herrin (Aug 29)
    - Re: Handling of Abuse Complaints Larry Sheldon (Aug 29)
- Re: Handling of Abuse Complaints Laszlo Hanyecz (Aug 29)
  - Re: Handling of Abuse Complaints Lee Fuller (Aug 29)
  - Re: Handling of Abuse Complaints Filip Hruska (Aug 29)
    - Re: Handling of Abuse Complaints Joe Maimon (Aug 29)

(Thread continues...)