abuse reporting tools

Drew Weaver drew.weaver at thenap.com
Tue Nov 25 20:11:43 UTC 2014

On Tue, Nov 18, 2014 at 7:41 PM, Robert Drake <rdrake at direcpath.com> wrote:
> On 11/18/2014 8:11 PM, Michael Brown wrote:
> amelioration.  So I'm left with a very unsatisfactory feeling of 
> either shutting down a possibly innocent customer based on a machines 
> word, or attempting to start a dialog with random_script_user_99 at hotmail.com.

>>Under those circumstances,  how do you know it's not a
>>social-engineering based DoS being attempted?   Preferably,  take no
>>action to shutdown services without decent confirmation;  as malicious reports of a fraudulent, bogus, dramatized, or otherwise misleading nature are sometimes used by malicious actors  to target a legitimate user.

>>My suggestion would be table the report of a single SSH connection and
>>really do nothing with it.    If there is actually abuse being
>>conducted, you should either be able to independently verify the actual abuse, e.g.  by checking packet level data or netflow data, or  you should begin to receive a pattern of complaints;  more unique contacts,  that you can investigate and verify are legit. contacts >>from unique networks.

If you know the destination IP address that the traffic is supposedly going to you can also just ACL it, that way if it's a customer of a customer you don't shut down the customer's entire business over something one person downstream is doing and you 'fix' the issue at the same time.

The right answer really depends on how responsive your customer is to the complaints in the first place.


More information about the NANOG mailing list