nanog mailing list archives

Re: Handling of Abuse Complaints

From: Mark Andrews <marka () isc org>
Date: Tue, 30 Aug 2016 10:31:32 +1000


In message <3dc3fd61-5123-0070-dd4e-435ce6785577 () satchell net>, Stephen Satchell writes:

On 08/29/2016 08:55 AM, Jason Lee wrote:

NANOG Community,

I was curious how various players in this industry handle abuse complaints.
I'm drafting a policy for the service provider I'm working for about
handing of complaints registered against customer IP space. In this example
I have a customer who is running an open resolver and have received a few
complaints now regarding it being used as part of a DDoS attack.

My initial response was to inform the customer and ask them to fix it. Now
that its still ongoing over a month later, I'd like to take action to
remediate the issue myself with ACLs but our customer facing team is
pushing back and without an idea of what the industry best practice is,
management isn't sure which way to go.

I'm hoping to get an idea of how others handle these cases so I can develop
our formal policy on this and have management sign off and be able to take
quicker action in the future.


It depends on the nature of the complaint.  If it's an amplification 
attack of some kind, figure out how the perp is doing it, and block it 
as appropriate.  For example, do you filter incoming packets with source 
address of subnet network and broadcast (shorter than /30) and allnet 
(255.255.255.255) broadcast, and filter packets outbound with 
destinations of allnet broadcast?

DNS and NTP can be tricked into generating packet storms.  In 
particular, you may want to block excessive large DNS requests inbound 
using deep packet inspection at your edge.

Not all abuse problems are the fault of the customer.  You have to do 
your part as well.


I presume everyone of you is planning to install DNS servers that
support RFC 7873 - DNS COOKIES?  Yes, servers exist that support
this and some TLD's are already using such servers (0.47%), Alexa
.Gov and .AU servers (0.09%), Alexa Top 1000 (0.22%) and Alexa Bottom 1000
(.19%).

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

RE: Handling of Abuse Complaints, (continued)
- - RE: Handling of Abuse Complaints Gareth Tupper (Aug 29)
    - Re: Handling of Abuse Complaints Paul Ferguson (Aug 29)
    - Re: Handling of Abuse Complaints Steve Atkins (Aug 29)
    - Re: Handling of Abuse Complaints William Herrin (Aug 29)
    - Re: Handling of Abuse Complaints Larry Sheldon (Aug 29)
- Re: Handling of Abuse Complaints Laszlo Hanyecz (Aug 29)
  - Re: Handling of Abuse Complaints Lee Fuller (Aug 29)
  - Re: Handling of Abuse Complaints Filip Hruska (Aug 29)
    - Re: Handling of Abuse Complaints Joe Maimon (Aug 29)
- Re: Handling of Abuse Complaints Stephen Satchell (Aug 29)
  - Re: Handling of Abuse Complaints Mark Andrews (Aug 29)
- Re: Handling of Abuse Complaints Alex Brooks (Aug 30)