Automated Network Abuse Reporting
joelja at darkwing.uoregon.edu
Mon Dec 29 17:39:55 UTC 2003
I have, according to my ids around 400pps arriving at my home network that
don't belong there. if I payed attention to all of it I'd be busy, if I
generated abuse reports and fired them off it would generate a lot of
noise... random portscans, dos backsplash and worm traffic don't really
rise to the level that would make me want to invest my time in trying to
identify and deal with the sources.
On Mon, 29 Dec 2003, Richard A Steenbergen wrote:
> On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote:
> > if you automate abuse reporting you can basically assume that the reciver
> > will automate abuse handling. since that has in fact happened as far as i
> > can tell the probably of you automated asbuse replaies ever reaching a
> > human who cares or can do something about it is effecetivly zero.
> It's difficult to sort out legitimate complaints for port scanning.
> Consider that the vast majority of such complaints a provider receieves,
> particularly automated ones (groan), are just flat out wrong or stupid (or
> For example: "Your web server is hacking my web browser on port 80", or
> "Why are you probing me with UDP packets on port 53 from this host named
> NS1...", but usually stated with far more capital letters, misspellings,
> profanity, and threats to sue or report your web server to the
> authorities because it dared to respond to their port 80 connection. :)
> Things only seem to get worse when you actually try to have a halfass team
> of people respond to these. Usually the victim is someone who gets a syn
> flood from random sourced addresses, correctly responds with RSTs, and
> ends up being accused of port scanning due to the backscatter hitting some
> random military IP address. Anyone with a reasonable amount of experience
> should be able to look at any of the detailed packet logs and clearly see
> the very obvious patterns which indicate the differences between
> legitimate port scans, backscatter, or classic spoofed source syn floods.
> But they never do, even when they claim to be highly experienced and in
> positions of power. For many providers, getting a threatening e-mail from
> a government agency will result in someone being turned off, even if they
> have done nothing wrong.
> Recently I saw someone running an online gaming service who experienced
> this in the other direction. The attacker set his IP as the source, and
> directly fired off millions of packets to random destinations. Not only
> was their a direct DoS effect due to all the RST coming in, but over the
> course of 48 hours he received THOUSANDS of angry calls, many complaints
> to his provider, and even several death threats.
Joel Jaeggli Unix Consulting joelja at darkwing.uoregon.edu
GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
More information about the NANOG