Abuse.cc ???
McBurnett, Jim
jmcburnett at msmgmt.com
Sat Apr 5 03:51:27 UTC 2003
I tell ya, what really gets me in a bad mood is when my PIX logs
show the same IP address hitting port 80 on 25 different IP's
and the time line is 2 seconds start to finish.
And then you report it, and it continues after a week every single day.
Substitute port 80 here with 1433, 139,135, and on and on..
When a Syslog trap with a NTP sync time base and the entire log is not good
enough, I don't know what is....
Yesterday, I got word from a network operator that 50 entries was not sufficient.
So I parsed 4 days's worth and sent them over 1200 messages from their block..
have not heard back yet..
With a syslog file, sometimes an IDSLog and a Syslog.
Some ISP's either /dev/null all of it, or they can't stop their users
or politics stop 'em..
Later,
J
> -----Original Message-----
> From: Simon Lyall [mailto:simon.lyall at ihug.co.nz]
> Sent: Friday, April 04, 2003 5:04 PM
> To: nanog at merit.edu
> Subject: Re: Abuse.cc ???
>
>
>
> On Thu, 3 Apr 2003, Gerald wrote:
> > I hate to play devil's advocate here, but I've been on the
> receiving end
> > of the abuse@ complaints that became unmanagable. The bulk of them
> > consisting of:
> >
> > "Your user at x.x.x.x attacked me!" (And this is sometimes the
> > nameserver:53 or mailserver:113)
>
> We added this to the auto-reply of our abuse@ address:
>
> --- cut - here ----
>
> For complaints of port scanning or supposed hacking attempts,
> complete logs of the abuse are required. At a minimum, a log
> of abuse contains the time (including time zone) it happened,
> the hosts/ips involved and the ports involved.
>
> Please note that we received a large number of false
> complaints from people
> using personal firewall programs regarding port scanning. If you are
> submitting a complaint based on the logs from one of these
> programs we
> highly suggest you to read the following:
>
> http://www.samspade.org/d/persfire.html AND
> http://www.samspade.org/d/firewalls.html
>
> --- cut - here ----
>
> The abuse guys concentrate on spam reports, open-relay reports and
> sometimes port scanning reports from proper admins (these are easy to
> spot). Junk from dshield.org and the like is pushed to the
> bottom of the
> priority list. There are just too many random packets flying
> about for the
> personal firewall reports to be useful.
>
> The other problem is it's hard to act against a client based
> on one packet
> received by some person on the other side of the world
> running a program
> they don't understand. At least with spam reports you'll get several
> independant reports with full headers and if they use our
> servers we'll
> even have our own logs.
>
> --
> Simon Lyall. | Newsmaster | Work:
> simon.lyall at ihug.co.nz
> Senior Network/System Admin | Postmaster | Home:
> simon at darkmere.gen.nz
> Ihug Ltd, Auckland, NZ | Asst Doorman | Web:
http://www.darkmere.gen.nz
More information about the NANOG
mailing list