[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Handling of Abuse Complaints

In message <3dc3fd61-5123-0070-dd4e-435ce6785577 at satchell.net>, Stephen Satchell writes:
> On 08/29/2016 08:55 AM, Jason Lee wrote:
> > NANOG Community,
> >
> > I was curious how various players in this industry handle abuse complaints.
> > I'm drafting a policy for the service provider I'm working for about
> > handing of complaints registered against customer IP space. In this example
> > I have a customer who is running an open resolver and have received a few
> > complaints now regarding it being used as part of a DDoS attack.
> >
> > My initial response was to inform the customer and ask them to fix it. Now
> > that its still ongoing over a month later, I'd like to take action to
> > remediate the issue myself with ACLs but our customer facing team is
> > pushing back and without an idea of what the industry best practice is,
> > management isn't sure which way to go.
> >
> > I'm hoping to get an idea of how others handle these cases so I can develop
> > our formal policy on this and have management sign off and be able to take
> > quicker action in the future.
> It depends on the nature of the complaint.  If it's an amplification 
> attack of some kind, figure out how the perp is doing it, and block it 
> as appropriate.  For example, do you filter incoming packets with source 
> address of subnet network and broadcast (shorter than /30) and allnet 
> ( broadcast, and filter packets outbound with 
> destinations of allnet broadcast?
> DNS and NTP can be tricked into generating packet storms.  In 
> particular, you may want to block excessive large DNS requests inbound 
> using deep packet inspection at your edge.
> Not all abuse problems are the fault of the customer.  You have to do 
> your part as well.

I presume everyone of you is planning to install DNS servers that
support RFC 7873 - DNS COOKIES?  Yes, servers exist that support
this and some TLD's are already using such servers (0.47%), Alexa
.Gov and .AU servers (0.09%), Alexa Top 1000 (0.22%) and Alexa Bottom 1000

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org