[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Handling of Abuse Complaints

Subject: Handling of Abuse Complaints
From: marka at isc.org (Mark Andrews)
Date: Tue, 30 Aug 2016 10:31:32 +1000
In-reply-to: Your message of "Mon, 29 Aug 2016 12:00:49 -0700." <[email protected]>
References: <CABD5cReam8[email protected]> <[email protected]>

In message <3dc3fd61-5123-0070-dd4e-435ce6785577 at satchell.net>, Stephen Satchell writes:
> On 08/29/2016 08:55 AM, Jason Lee wrote:
> > NANOG Community,
> >
> > I was curious how various players in this industry handle abuse complaints.
> > I'm drafting a policy for the service provider I'm working for about
> > handing of complaints registered against customer IP space. In this example
> > I have a customer who is running an open resolver and have received a few
> > complaints now regarding it being used as part of a DDoS attack.
> >
> > My initial response was to inform the customer and ask them to fix it. Now
> > that its still ongoing over a month later, I'd like to take action to
> > remediate the issue myself with ACLs but our customer facing team is
> > pushing back and without an idea of what the industry best practice is,
> > management isn't sure which way to go.
> >
> > I'm hoping to get an idea of how others handle these cases so I can develop
> > our formal policy on this and have management sign off and be able to take
> > quicker action in the future.
> 
> It depends on the nature of the complaint.  If it's an amplification 
> attack of some kind, figure out how the perp is doing it, and block it 
> as appropriate.  For example, do you filter incoming packets with source 
> address of subnet network and broadcast (shorter than /30) and allnet 
> (255.255.255.255) broadcast, and filter packets outbound with 
> destinations of allnet broadcast?
> 
> DNS and NTP can be tricked into generating packet storms.  In 
> particular, you may want to block excessive large DNS requests inbound 
> using deep packet inspection at your edge.
> 
> Not all abuse problems are the fault of the customer.  You have to do 
> your part as well.

I presume everyone of you is planning to install DNS servers that
support RFC 7873 - DNS COOKIES?  Yes, servers exist that support
this and some TLD's are already using such servers (0.47%), Alexa
.Gov and .AU servers (0.09%), Alexa Top 1000 (0.22%) and Alexa Bottom 1000
(.19%).

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

References:
- Handling of Abuse Complaints
  - From: jason.m.lee at gmail.com (Jason Lee)
- Handling of Abuse Complaints
  - From: list at satchell.net (Stephen Satchell)

Prev by Date: Cloudflare reverse DNS SERVFAIL, normal?
Next by Date: Handling of Abuse Complaints
Previous by thread: Handling of Abuse Complaints
Next by thread: Handling of Abuse Complaints
Index(es):
- Date
- Thread