In message <3dc3fd61-5123-0070-dd4e-435ce6785...@satchell.net>, Stephen Satchell writes: > On 08/29/2016 08:55 AM, Jason Lee wrote: > > NANOG Community, > > > > I was curious how various players in this industry handle abuse complaints. > > I'm drafting a policy for the service provider I'm working for about > > handing of complaints registered against customer IP space. In this example > > I have a customer who is running an open resolver and have received a few > > complaints now regarding it being used as part of a DDoS attack. > > > > My initial response was to inform the customer and ask them to fix it. Now > > that its still ongoing over a month later, I'd like to take action to > > remediate the issue myself with ACLs but our customer facing team is > > pushing back and without an idea of what the industry best practice is, > > management isn't sure which way to go. > > > > I'm hoping to get an idea of how others handle these cases so I can develop > > our formal policy on this and have management sign off and be able to take > > quicker action in the future. > > It depends on the nature of the complaint. If it's an amplification > attack of some kind, figure out how the perp is doing it, and block it > as appropriate. For example, do you filter incoming packets with source > address of subnet network and broadcast (shorter than /30) and allnet > (255.255.255.255) broadcast, and filter packets outbound with > destinations of allnet broadcast? > > DNS and NTP can be tricked into generating packet storms. In > particular, you may want to block excessive large DNS requests inbound > using deep packet inspection at your edge. > > Not all abuse problems are the fault of the customer. You have to do > your part as well.
I presume everyone of you is planning to install DNS servers that support RFC 7873 - DNS COOKIES? Yes, servers exist that support this and some TLD's are already using such servers (0.47%), Alexa .Gov and .AU servers (0.09%), Alexa Top 1000 (0.22%) and Alexa Bottom 1000 (.19%). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
