Automated Network Abuse Reporting

Mon Dec 29 16:28:47 UTC 2003

Jason Lixfeld wrote:
> 
> ...Has there been development of some
> sort of intelligent unix land app that can understand Cisco syslog
> output, find the abuse departments of the sourcing networks and send
> them off a nice little FYI?

With rare exceptions, I'd say don't bother, even if you do come up with
such a thing. I've actually sent off two in the past week, which is my
normal total for the month (any month). One was to a machine that was
agressively testing identd (and starting to annoy me) on every machine in
my netblock (it's little, but it's mine).

The other was more interesting. A tool that had been used to attack imap
servers earlier this year has apparently been modified to hit FTP instead.
The common bond is the user name "lizdy", which is only one of the multiple
of names attempted. If you're curious, hit google with the words (lizdy
ftp), and you'll come up with a few machines already hit by it. One of the
machines that hit was an NT machine in a block that had an actual abuse
dept, and I thought the owner would probably want to know. I got a nice
response back, and I'd bet that it was probably taken care of. The others
were also owned, but out of networks where I know that they just won't
care. Pity there's no way to let the owner of the machine know, but that's
just life.

A "nice little FYI" will just be adding to the brownian motion of the
internet as we know it today. On those rare cases where you have the time,
and are sure of the target, of course, send something off. Just please
don't automate it.

Oh, and I no longer have an internet facing FTP server (that tool hits
about 200-400 times in less than 5 seconds...really abusive).

--
Open source should be about giving away things voluntarily. When
you force someone to give you something, it's no longer giving, it's
stealing. Persons of leisurely moral growth often confuse giving with
taking.    -- Larry Wall