mailing list archives
Re: Tier1 blackholing policy?
From: Jared Mauch <jared () puck nether net>
Date: Tue, 30 Apr 2013 17:20:04 -0400
On Apr 30, 2013, at 2:50 PM, bmanning () vacation karoshi com wrote:
Phone? You mean like Jitsi or Skype?
I'd like to see some numbers to back your assertion of "Typical" restoration
times of days.
my vendors deliver software fixes for "BGP" doesn't work in weeks, so I think that the following timeline and process
I'm going to outline exceeds their BGP problems.
0 hour - Issue Reported
0-24 hours - triage; send to customer/internal customer to mitigate/remediate
25-48 hours - Customer responds, host taken down if hacked, etc..
48-96 hours+ - If no response, IP null0'ed per AUP as network security risk
48-96 hours is also where the customer freaks out and quickly fixes their problem to come in compliance with AUP.
This is a natural process. Null0 or ACLs don't stay up for days or weeks on end. That doesn't mean this catches 100%
of all cases, but many ISPs get a daily report of phishing sites and malware hosted on their network each morning. You
can get one too!
You can get a daily ATLAS report from Arbor as well: http://atlas.arbor.net/ (Although I can't get anyone to fix a
problem with it, so anyone there can email me if you have the power to fix it).
There are other aggregators of data as well, such as SIE. If you don't know the health of your network, take a look.
Many folks will email you these reports automatically, or provide you a direct feed (some in realtime, such as SIE).
Re: Tier1 blackholing policy? Jon Lewis (Apr 30)
Re: Tier1 blackholing policy? William Herrin (Apr 30)