North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?
- From: Damian Gerow
- Date: Wed Jan 22 11:13:56 2003
(Taking NANOG out, as this is moving a little towards personal conversation)
On Tue, 21 Jan 2003 16:44:26 -0800 "todd glassey"
> Vadim - the instant someone sues a Provider for sexual harassment from
> their spam epidemic you will start to see things change. The reason that
> No-Sane provider will block these ports or services is because they have
> been listening to their Network Admins too long, and in fact the problem
> is that they are not sane providers. What they are, and this is pretty
> much true across the board, is people that just don't care what they do to
> earn a buck otherwise we would not have these problems, and this is
> especially true of those Network Operators that push all those billions of
> bytes of illicit SPAM and throw their hands up and say "What do you expect
> us to do" - well the answer is simple. I expect you folks to operate
> within the law and to cooperate in stopping people who use your services
> in violation of the laws.
> And if the providers out there don't like that - then they should find
> other businesses.
I think you're *nuts* if you think an ISP should be held entirely
accountable for its customers actions.
I'm one of a handful of administrators in a small ISP, and we do our
damnedest to ensure that everything runs smoothly. We have a fairly strict
AUP that we actually enforce, we do egress filtering (not enough, but we're
working towards it), we contact customers that are infected with virii and
worms, and we have *zero* tolerance for script kiddies (usually instant
IMHO, that is about all you can expect an ISP to do. Have an AUP that
incorporates all of your problems (spam, abuse, viruses, etc), and enforce
it. You can *not* expect the ISP to police absolutely everything that its
customers do. You can *not* expect the ISP to be held responsible for three
of its fifteen thousand customers browsing child porn. You can *not* expect
the ISP to be accountable for its two hundred script kiddies.
You *can* expect the ISP to have an AUP. You *can* expect the ISP to react,
and to react quickly. You *can* expect the ISP to co-operate with the
proper authorities, if it goes to that level. You *can* expect the ISP to
contact and work with (when and where needed) other ISPs to track down and
I am a Network Admin, and I am *still* looking for an effective way to block
outbound spam from our customers. I spent two months purging all our mail
servers of FormMail, and scan them every night for more vulnerable versions.
Do you think that I should be sued because one of these slips through the
cracks (there's a 24-hour window in which one can be installed and abused),
and you get some porn spam? I certainly hope not.
Being able to sue ISPs for their customers actions is pure insanity, and
will just lead to massive ISP shutdown world-wide.
However, being able to sue ISPs for *negligence* and for *ignoring*
customers actions is a whole different boat, and I think is an idea worth
- Damian Gerow, an overworked, underpaid, underappreciated Network
Administrator. Strung out on caffeine, because I spent most of last night
hashing out some more details on our anti-spamming actions.