Home page logo
/

nanog logo nanog mailing list archives

Status Report - Mail Bombing of World.std.com by Sprint Client + FAQ
From: Barry Shein <bzs () world std com>
Date: Sun, 5 Jan 1997 21:35:04 -0500


We are now well into day four and about to enter day five of this.

As of about 9PM EST the mail-bombing of world.std.com by the Sprint
client iq-internet.com continues full bore.

It had stopped between about 8AM EST until about 8PM EST Sunday 1/5/97
and then restarted leading me to believe someone at iq-internet.com
manually restarted the mail-bombing. There is no reason to believe
there were any 12 hour connectivity problems between us or similar
external explanations, someone at iq-internet.com most likely noticed
it had stopped and restarted it.

Sprint's position (explained to me at around 8:45PM EST when I called
to report this status, also emailed Sprint the logs) is that they will
meet during business hours tomorrow (Monday 1/6/97) to discuss this
issue.

To save hearing the obvious suggestions etc again, increasing traffic
on these lists here is a brief FAQ:

Q1. Are you (std.com) a Sprint customer?

A1: No, we are not.

Q2: Why don't you just block it at your router?

A2a: It's effectively blocked at our host, which no doubt is faster
than the router anyhow (a 16 cpu SGI Challenge XL w/ 1.5GB ram), but
this gives me full logs.

A2b: Note that blocking it at the router does nothing to free up our
bandwidth to the internet we are trying to provide to our customers.
Since the path between our router and world.std.com is a 100mb/s FDDI
letting it go that one more hop is inconsequential to the harm being
done.

Q3: Ok, why don't you ask your provider (Alternet) to block it?

A3a: A lot of this has to do with Sprint's reluctance to deal with
their customer in any timely manner (four days, including two
weekdays, would seem sufficient for them to simply put one route block
in at iq-internet.com's router.) I want the logs for now, I want the
bigger problem which seems to prevent Sprint front-line NOC personnel
from fixing operational problems fixed. Burying it as another router
block at our end or our backbone provider's end doesn't deal with the
real problem here, that Sprint has policies in place preventing them
from dealing with malicious, disruptive and damaging customers.

A3b: Yes Alternet has offered to do this as soon as I request it.

Q4: Why don't you email bomb, SYN attack, etc the host doing this to
you?

A3: Although I have sent a lot of email to a lot of accounts at the
host periodically asking them to stop I don't think malicious behavior
will help get to the root problem here which is Sprint's policies
forbidding their personnel from intervening into even the most
egregious and outrageous abuse of network facilities without
self-defeating and lengthy bureaucratic process (I think that's a fair
characterization as we go into the FIFTH day of this.)

Q5: Ok, why don't you redirect it to addresses at sprint or mailbomb
them or something similar to get their attention?

A5: Again, self-defeating. But it is nice to know the people who are
empowered to make this decision are enjoying *THEIR* weekend.

Q6: Do you believe this is an isolated incident or a real failure in
policy at Sprint? It seems fairly outrageous that they can't stop a
customer whose behavior is so malicious, it doesn't seem possible that
the customer doesn't know that this has gone way beyond "spam".

A6: I believe this is a total failure of express Sprint policy and not
an isolated incident in any way. I have been told many times now by
Sprint personnel (at their NOC) that official policy forbids them from
acting against this mail-bombing and there exists no process to get a
decision made otherwise which takes less than the five days it looks
like it is going to take (eg, there's no single manager they can call
who has the authority to order the route block or some action be
taken, or these people feel they can put such decision-making off
until it is convenient for them personally.)

Q7: Well, I can see Sprint's reluctance to block this loathsome
creature entirely from the net without some process, these are
litigious times, but you're saying Sprint refuses to even block the
single route between iq-internet.com (the mail-bomber) and your host?
Is there any legitimate reason for this site to be able to get to your
host?

A7: Yes, I am saying that Sprint policy is such that their personnel
is not authorized to install even one route block without lengthy
bureaucratic process taking several days.

Q8: Why do you think this is so?

A8a: Because there is an atmosphere of fear, essentially, at Sprint's
NOC and their personnel have been completely unempowered from taking
operational actions they know are required of them to operate within
the greater internet. Essentially, they (Sprint policy-makers)
apparently believe that any damage to the greater internet or any host
or site is less important than their ability to run internal
bureaucratic process at whatever pace and using whatever management
style which suits them.

A8b: As far as I can tell once they identify a customer as a "spammer"
then they can take no action against him, no matter what the actual
behavior is. At this point this is clearly an operational/technical
problem, the "spam" has been blocked for four days now, the spammer
has been told this, yet messages are still being looped from his
machine almost non-stop. It is only via some bizarre exercise in
"mind-reading" that someone, in my opinion, could surmise that the
perpetrator's intention is to deliver advertising to mailboxes at our
site. Yet, Sprint personnel are not empowered to do anything about
this without lengthy internal process.

Q9: Wow, this is quite outrageous, I'd go so far as to say
"scary". Many of us sit here naively thinking that large companies
such as Sprint selling internet services basically do their jobs
within some reasonable range of quality, but this sounds like a very
deep and worrisome failure of management at Sprint. How can any
network emergencies be taken care of if they won't let their
front-line NOC personnel take any operational responsibility, and it
takes days and days to escalate internally what seem to be relatively
straightforward problems with straightforward solutions which really
should be dealt with quickly, in minutes, or certainly a very few
hours?

A9: No comment.


-- 
        -Barry Shein

Software Tool & Die    | bzs () world std com          | http://www.std.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
The World              | Public Access Internet     | Since 1989
- - - - - - - - - - - - - - - - -


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault