* Simon Lockhart: > On Sun Sep 18, 2016 at 03:58:57PM +0200, Florian Weimer wrote: >> * Tom Beecher: >> > Simon's getting screwed because he's not being given any information to try >> > and solve the problem, and because his customers are likely blaming him >> > because he's their ISP. >> >> We don't know that for sure. Another potential issue is that the ISP >> just cannot afford to notify its compromised customers, even if they >> were able to detect them. > > I'd like to think that we're pretty responsive to taking our users offline > when they're compromised and we're made aware of it - either through our own > tools, or through 3rd party notifications.
Okay, then perhaps my guess of the ISP involved is wrong. > The process with Sony goes something like: > > - User reports they can't reach PSN > - We report the Sony/PSN, they say "Yes, it's blocked because that IP attacked > us" > - We say "Okay, that's a CGNAT public IP, can you help us identify the which > inside user that is - (timestamp,ip,port) logs, or some way to identify the > bad traffic so we can look for it ourselves" > - Sony say no, either through silence, or explicitly. > - We have unhappy user(s), who blame us. Yes, that's not very constructive. Out of curiosity, how common is end-to-end reporting of source/destination port information (in addition to source IP addresses and destination IP addresses)? Have the anti-abuse mechanisms finalyl caught on with CGNAT, or is it possible that the PSN operator themselves do not have such detailed data?
