[Dshield] Idea for dealing with ISPs that ignore abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd: WHY IS YOURCUSTOMER...])
Tomas L. Byrnes
tomb at byrneit.net
Fri Aug 25 21:37:14 GMT 2006
Since we're talking about Non Response from a Responsible Party for an
address range to the world's recognized premier security experts
reporting net-abuse from that CIDR, I think blocking all CIDRs that
share the same RP is in order.
It would be up to you, however. I think it would just be beneficial for
DSHIELD to publish who the Non-responsive RPs are, what IPs and CIDRs
are being reported as abusive, and then it's up to us to decide how to
deal with it as a local policy matter. If you just want to block the Ips
for which no response is received, that's up to you. Personally, I don't
want to receive any connections from networks where the admins don't do
their jobs, so I would look up their NIC handles, and associated CIDRs,
and block the lot of them.
If I could have a list of all the CIDRs with invalid or non-responsive
Abuse aliases, I'd block the lot of them in a heartbeat.
The beauty of the DSHIELD system is that it simply provides INFORMATION,
it's up to you to decide how to implement the policy. In this respect it
is, IMNSHO, superior to many other approaches.
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Friday, August 25, 2006 1:02 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Idea for dealing with ISPs that ignore
abusenotificatons was RE: The Art/Tao/Zen of Abuse e-mails (Was:[Fwd:
WHY IS YOURCUSTOMER...])
On Fri, 25 Aug 2006 08:19:02 PDT, "Tomas L. Byrnes" said:
> One way to change those economics is if we all were to block ALL
> traffic from the CIDRs of non-responsive Abuse aliases.
This *does* get into the 800 pound gorilla problem, however. What do
you do with a non-responsive Abuse at an organization that you have a
business need to remain in contact with?
Also, what CIDR do you use? The /27 the offenders got? The /22 their
hosting service got? The /15 the host services's provider has? Note
the chance of accidental (or intentional) collateral damage rises
quickly as you raise the side of the block. Go for a /16 instead of a
/17, and find you've just blocked somebody (a) squeaky clean and (b)
important to your upper management. Whoops, a true CLM(*).
Also, keep in mind that intentional collateral damage (the "Sorry you're
blocked, maybe you shouldn't have gotten service from a provider known
to host spammers") isn't likely to win you many friends. It may
*eventually* get the provider to clean up when they lose a lot of
customers - but it *will* be a long, painful, drawn-out process as you
inflict pain on somebody for something their provider's provider did in
conjunction with some other customer of the upstream...
(*) CLM - Career Limiting Move.
More information about the list