Re: IP Reputation Services

[Damian Menscher via NANOG <nanog () nanog org>]

On Mon, Apr 4, 2022 at 9:12 AM Laura Smith via NANOG <nanog () nanog org>
wrote:

> On Monday, April 4th, 2022 at 15:37, Mike Hammett <nanog () ics-il net>
> wrote:
>
> > I'm checking in to see what people think of IP reputation services.
>
> Pre-IPv6 I was always a little apprehensive of using them for general use
> because it was always a bit murky how they collected the IPs in the first
> place.
>
> Post-IPv6 I would think IP reputation services are fairly pointless. With
> people being given anything up to a /48 without question what are you going
> to do ? Block whole /48s ?

Yes.  Or /29s.  Or ASNs.  Depends on the scope of the abuse, and if the
provider is complicit.

One thing to keep in mind is data freshness.  For individual IPs (or /48s)
ownership can change frequently, so you need to make sure blocks expire in
a timely manner.  For /29s or ASNs this is less of a problem....

But... back back to the original question: consider trying to give each
customer a stable IP.  Rotating IPs frequently allows a single bad (or
compromised) customer to poison your entire IP-space.  Keeping them fixed
allows you to identify the problem and get them cleaned up.

Damian