[kkielhofner]

I’d argue that a reasonable network limitation with a minimal blast ratio is responsible. For example, I use SIP over 5060 on Spectrum without issue.

Not having their network used by bots to inflict untold financial damage is being responsible.

Would you argue that implementation of BCP38 to cut down on bots used in DDoS attacks is “not the ISP’s responsibility”?

Plus, they get the abuse reports from the victims and I’m certain this traffic is a ToS violation for their customers and certainly against the CFAA and numerous other laws for the resulting theft and fraud it causes.

[kevin_thibedeau]

Block by default is fine but customers should be empowered to disable them if they need the IP service they're paying for.

[another_comment]

>>I’d argue that a reasonable network limitation with a minimal blast ratio is responsible.

I'm the OP and I agree. Across 3 Twilio phone numbers and I maybe make 4 voice calls and 10 texts a week. I've been doing this for 4 years or more.

>> For example, I use SIP over 5060 on Spectrum without issue.

As did I, until a week or so ago. Until I was cut off, without notice. I've been a Spectrum residential customer since the 1990s.

[unethical_ban]

Nah, just like port 25 outbound being blocked is shitty. How can we have a decentralized net when consumer ISPs make people call in or beg to have full network access?

Yes, do some flood detection, but the problem is that the SIP provider should be, as another commenter put, block international calls or otherwise detect/reject calls to toll systems. Who the heck uses toll numbers anymore anyway?

[kkielhofner]

"People" here being the 0.001% of the population that's interested in and capable of responsibly hosting anything. As others have noted I'm perfectly fine with someone having to make a phone call, go to a web UI, whatever to click a box with a scary warning (and potentially agree to additional terms) when they want to open their connection up. Spectrum has 32 million customers and blocking SMTP, netbios, RDP, rate limiting SIP, etc are reasonable defaults.

The alternative (today) is the literally millions of compromised PCs, IoT devices, etc that inflict incredible amounts of damage and make even more decentralizing services like CloudFlare essentially a necessity to make sure whatever you're hosting can deal with the possibility of terabits of traffic from a botnet showing up at any second (or SPAM, or VoIP fraud, etc, etc). As it stands now we have both and there is still an incredible amount of trash traffic - see other comments in this thread about people trying to host their own Asterisk instance and having it use 100% CPU just processing all of the malicious trash traffic showing up.

I mentioned blocking international calls by default in another comment. So now you need to contact your provider just to call someone in another country? Unfortunately, yes, that has been the case for many VoIP enabled systems for almost a decade now.

In NANPA (North American Numbering Plan) the international call prefix is 011. This is trivial to put behind a flag. However, after that detecting toll numbers is much more difficult because you're dealing with the entire world at that point and the numbering schemes, etc for toll numbers are all over the place. Additionally, in many countries there isn't any rhyme or reason to their toll numbering and unscrupulous network operators and jurisdictions that don't have a functioning legal system capitalize on all of this. It's been a while but I even remember some destinations in the caribbean taking advantage of having a +1 country code so not even the "international" call prefix block works in that case.

In my past life I was the CTO for a VoIP service provider with hundreds of thousands of business VoIP systems. This issue is very vast and complex while looking from the outside like yet another HN "Why don't you just do X" or "I could solve that in a weekend".

[unethical_ban]

I've been a firewall admin for a decade, I'm not entirely naive, and I am now sober.

I clearly don't work in VoIP, I only had a one year stint with call center stuff. But I am honestly asking, who uses toll numbers anymore? Why wouldn't phone companies and VoIP providers literally decide not to honor a tool that seems, to me, entirely built for scams? Are there places without Internet but with phones, in such a scenario where a toll number scheme makes sense?

Put in general terms, I am saying "don't block the network protocol, end the toll-payout protocol". It would be like us living in a system where scammers could charge you $5 each time you got caught staring at a postcard in your mailbox, and we decided to block postcards rather than stop paying the extortion.

On the broader topic of "decentralized servers being abused on the Internet" yeah I get the problem of open DNS and SMTP relays. I do assert that those services being locked down are why we only have 0.0001% engagement.

[kkielhofner]

You make a good point regarding toll numbers and the real answer is "I don't know" but they persist for whatever reasons...

I'm also not being entirely clear when I say "toll numbers". What I really mean is "high cost" numbers. You're a firewall admin, you know there's no limit to the creativity and ingenuity of scammers/fraudsters/etc with a clear monetization path. There's also traffic pumping[0], jurisdictions where the rate decks overly subsidize the cost to a "mobile" vs "landline", high-rate destinations (like Iridium), and again, various destinations with weird rate structures where (somewhat like traffic pumping) there doesn't seem to be any real justification that the billed rate aligns with the actual cost of delivering service but due to corrupt or non-functioning governments/regulators/telcos/etc they persist and are ripe for fraud.

[0] - https://www.fcc.gov/general/traffic-pumping

[denkmoon]

You buy access on a network that doesn't block those things, if you want a network that doesn't block those things.