Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: zotob - blocking tcp/445

  • From: My Name
  • Date: Thu Aug 18 14:15:33 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IYby6xsEbzPF7jdRhB4dq8zBwUHzkAgZtEIs39l+4fQitflvzMOIpVdODFommycO8FVCw7+7pkPmdMcQwvTC0YInw9b2vNQl8+PQ7f+F3sw5CQrBdReHB7X8O5iauFirgnuj0V5tZrhclZrbqXJCjHQVuhh13rpebd9jTwR9/SQ=

On 8/18/05, Roger Marquis <marquis@roble.com> wrote:
> 
> Andy Johnson wrote:
> > I think the point of many on this list is, they are a transit
> > provider, not a security provider. They should not need to filter
> > your traffic, that should be up to the end user/edge network to
> > decide for themselves.
> 
> How is this different from a transit provider allowing their network
> to be used for spam?  Seems the same hands-off argument was made wrt
> spam a decade ago but has since proved unsustainable.
> 

This is where the abuse teams at the service providers need to have
management approved thresholds for different types of abuse and be
empowered to take action.

If your customer is caught port scanning (hacking, worm propogation,
etc) twice within a two day time frame or something, the abuse team
should be able to null route/filter the ports without further warning.
 If they are spamming and after repeat notifications they do not stop,
have an escalation process that goes from suspension to termination of
service.  There are plenty of automated complaint scripts out there
for all types of abuse, so you don't have to look at everything
yourself.


> Our particular problem is with an ISP in Wisconsin, NETNET-WAN.  We
> get tens of thousands of scans to netbios ports every day from their
> /19.  This is several orders of magnitude more netbios than we see
> from the rest of the net combined.  It's eating nontrivial bandwidth
> and cpu that we pay real money for.  They've had our logs for months
> but seem incapable of doing anything about their infected customers.
> The suits recommend documenting time and bandwidth costs and sending
> a bill with a cease and desist request.
> 
> My question is not what can we do about bots, we already filter
> these worst case networks, but what can we do to make it worthwhile
> for bot-providers like NETNET to police their own networks without
> involving lawyers?
> 
> --
> Roger Marquis
> Roble Systems Consulting
> http://www.roble.com/
>




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.