Automatic abuse reports

Sam Moats sam at
Tue Nov 12 21:52:05 UTC 2013

We used to use a small perl script called tattle that would parse out 
the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, 
lookup the proper abuse contacts and report them. I haven't seen 
anything similar in years but it would be interesting to do more than 
null route IPs.

The problem we had with the automated reporting was dealing with 
spoofed sources, we see lots of traffic that is obviously hostile but 
unless it becomes serious enough to impact performance we rarely report 
it. An automated system didn't seem to fit anymore due to false 

A number of providers who aren't exactly interested in the overall good 
health of the net do a poor job of network ingress filtering that unless 
I closely examine the traffic and it's origins. Without being able to 
trust the source address information in the DDOS traffic I run the risk 
of crying wolf to a provider who is just as much a victim as I am. 
(Think of my ACK packets piling in his network in response to the bogus 
SYN packets I'm getting). So we reserve complaints for when there is an 
actual impact and try to keep the signal to noise ratio in our reports 

I'm not really happy with this approach and I'm open to ideas!

Sam Moats

On 2013-11-12 16:58, Jonas Björklund wrote:
> Hello,
> We got often abuse reports on hosts that has been involved in DDOS 
> attacks.
> We contact the owner of the host help them fix the problem.
> I also would like to start send these abuse report to the ISP of the 
> source.
> Are there any avaliable tools for this? Is there any plugin for 
> nfsen?
> Do I need to write my own scripts for this?
> /Jonas

More information about the NANOG mailing list