RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

["Diaz, Paul" <pdiaz@xxxxxxxxxxxxxxxxxxxx>]

Sorry for the delayed response, but I've been out of town and have just waded 
through the mailing list.  

To argue that "the incremental cost of running a 24/7 threat-response 
capability is zero" is misguided.  Greg makes all of the pertinent points 
below.  As the community has seen in high profile domain hijacking cases, even 
some Top 10 registrars (in terms of domains under management) do not have 
appropriate staff on call during non-business hours to handle hot cases.  NOC 
staff, where they exist, most often are focused on engineering issues and do 
not have the training to respond to something like a fastflux claim.  Training 
them and/or building a dedicated 24/7 response capability would entail 
significant costs.

This brings me back to some of the questions I posed in an earlier thread: what 
standards will be used to identify fastflux domains, how will we vet the 
"police" making the claim, who will pay for all of this process, etc.?  I 
realize we're in brainstorming mode now, but before any ideas get posted let's 
be sure to think through the ramifications.  It does this working group no good 
to float proposals that are based on obviously flawed assumptions.

Thanks, P 


-----Original Message-----
From: Greg Aaron [mailto:gaaron@xxxxxxxxxxxx]
Sent: Sat 8/2/2008 4:49 PM
To: joe@xxxxxxxxxxxxxxxxxx; ebw@xxxxxxxxxxxxxxxxxxxx; 
gnso-ff-pdp-May08@xxxxxxxxx
Subject: RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal
 
Mike O. and Joe have stated that the incremental cost of running a 24/7
threat-response capability is zero.  I think that's incorrect, and solicit
comments.

My observations are:

* Monitoring and response do not just require 24x7x365 staffing -- but
possibly 24x7x365 staffing by personnel with a specific background.

* Some registrars -- including some large ones -- have 24/7 customer support
for registrants but route abuse complaints to compliance, legal, or
specialty personnel, who they feel have the expertise to make the judgments
needed.  Specialists are not on duty 24/7.  The WG has had a lot of
discussion about how hard it is sometimes to determine whether a given
domain name is a problem, and the legal and liability issues involved in
suspending it.

* Personnel is a real capex, and incremental staff cost is not zero.
Someone must handle those calls and e-mails, and be trained to do so.  I see
this in my company.

* NOCs (Network Operations Centers) are dedicated to, well, network
operations.  Abuse response, customer support, and NOC are distinct
disciplines in many companies, especially once they reach a certain size.

* I don't know how many registrars have dedicated NOCs, or are staffed 24/7.
(Having contacted many registrars over the years, I know many smaller ones
are not 24x7x365).  Registrars with dedicated NOCs might have them because
they offer ancillary services such as hosting.

All best,
--Greg



-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Joe St Sauver
Sent: Saturday, August 02, 2008 3:33 PM
To: ebw@xxxxxxxxxxxxxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal


Eric commented:

#I appreciate you are a man of beliefs. Thank you for your estimation of 
#the cost of your "24/7 abuse queue" proposal, which I don't understand, 
#lacking your beliefs or some other context that would result in numeric 
#values for a spreadsheet.

Let me attempt to break this out a little...

Putting on my "MBA hat," the costs for handling a 24/7 abuse queue will 
vary widely depending on a number of concrete factors, but will, in most
cases be zero or near zero.

Capex? None that I'm aware of. All registrars already have all the
basics (network connectivity, workstations, building space, etc.)

Opex? If you already have a 24/7 NOC to deal with other operational issues, 
abuse response could be added as a supplemental duty. Enter "$0.00"
in the spreadsheet for "incremental staff costs" in that case.

Likewise, if abusive customers are already being aggressively screened out,
you may never see much if any business for the abuse desk to handle. In
that case, the total direct incident-related costs will also be zero in
the spreadsheet. Absent registrars (or others) coming forward and saying,
"Yes, heck yes, we're just overrun with miscreants," I'm going to assume
that most registrars will be in this asymptotically small incident count
range, which means that direct variable costs will be more zeros for your 
spreadsheet.

Are there other costs I've missed that you're concerned about? 

Or is you concern largely with the "micro level" tier of registrars who 
are more or less operating from their garage/kitchen table? (Nothing
wrong with that sort of entrepreneurial scale operation, by the way,
just noting that operations are different at that level than if you're
one of the big outfits)

Regards,

Joe

Disclaimer: all opinions strictly my own.