Abuse Desks

Mike Hammett nanog at ics-il.net
Wed Apr 29 12:35:11 UTC 2020

"What is it, exactly, that you expect a provider to do with your report of a few failed SSH login attempts to stop the activity?... disconnect the customer." 


Comcast does it. My wife's aunt and uncle had a compromised box on their network. They don't check their e-mail, so they didn't see the warnings from Comcast. They shut them off until the problem was resolved. 

" Forcing disconnection for a port scan is also, by the way, a *great* way to create an absolute gold-plated A+ denial-of-service: " 

Surely they have flow records showing suspicious activity from that customer. They may not confirm the specific IP being attacked, but they will see massive numbers of SSH, SMTP, SIP, etc. connections going out. It's likely if there's outbound activity of that nature and *someone* complained about it, not only were they a victim of it, but the activity is probably undesired by anyone else receiving it as well. 

" cost you practically nothing." You're right. An insecure Internet doesn't cost any of us anything. 

" there's no One True Format for automated abuse notifications" 

So then "let's" make one? No one can follow it if it doesn't exist. 

Mike Hammett 
Intelligent Computing Solutions 


----- Original Message -----

From: "Matt Palmer" <mpalmer at hezmatt.org> 
To: nanog at nanog.org 
Sent: Wednesday, April 29, 2020 6:48:51 AM 
Subject: Re: Abuse Desks 

On Wed, Apr 29, 2020 at 12:24:01PM +0530, Mukund Sivaraman wrote: 
> On Tue, Apr 28, 2020 at 11:40:16PM -0700, Matt Corallo wrote: 
> > Sadly dumb kids are plentiful. If you have to nag an abuse desk every 
> > time they sell a server to a kid who’s experimenting with nmap for the 
> > first time then.... we’ll end up exactly where we are - abuse contacts 
> > are not a reliable way to get in touch with anyone, and definitely not 
> > a reliable way to do so fast or with any reasonably large 
> > network. Please don’t clog the otherwise-useful system. 
> > 
> > If you have trouble sleeping at night, I’d recommend the 
> > “PasswordAuthentication no” option in sshd_config. 
> Yes we use that, and PermitRootLogin no and an AllowUsers list. 
> I asked in my first email, if with security practices as above and use 
> of fail2ban to filter attempts, should we just ignore this problem and 
> think that nobody is ultimately reponsible to get rid of this activity? 

In theory, no. In practice, unfortunately, yes. 

The typical service provider has so much low-level "noise" going on that if 
everyone reported everything to them, they'd semi-literally drown. 
Certainly, there's no possible way they could economically handle all that 
abuse reporting -- hiring all the people to examine, determine the veracity 
of, and act upon the reports would cost a fortune, because you better 
believe there's no One True Format for automated abuse notifications, nor 
will there ever likely be one, so it's all humans, all the time. 

Now, you could argue that they should clean up their network so they don't 
have that volume of abuse reports coming in -- and you'd be right, in 
theory. But there's a *lot* of low-level stuff that it isn't practical to 
stop, in and of itself. 

Consider your own reports. What is it, exactly, that you expect a provider 
to do with your report of a few failed SSH login attempts to stop the 
activity? Say it's a residential ISP, or an IaaS provider. They have only 
a few very large hammers at their disposal -- they can (maybe) filter the 
destination port, filter your destination IP, or disconnect the customer. 
Any of those will very possibly result in a support call, or lost customer. 
That's a very large cost you're expecting them to pay for something which 
has, let's face it, cost you practically nothing. 

Forcing disconnection for a port scan is also, by the way, a *great* way to 
create an absolute gold-plated A+ denial-of-service: send in a 
plausible-looking report of shenanigans to the ISP of someone you don't 
like, and *boom* their Internet connection's cut off. WINNAH! 

So what are you left with, action-wise? An ISP could keep a tally of abuse 
reports by customer, and take action on whoever's at the top of the pile, 
but that would then require a large and expensive army of humans to receive, 
check, classify, and record all incoming abuse reports. Do *you* want to 
pay $1,000/month for your home Internet connection to cover the cost of all 
those extra ISP staff? Because, as I said before, there's no One True 
Format for reporting abuse, and there never will be. 

Not that it would work, anyway -- any sort of "threshold" system for abuse 
ends up being gamed, anyway. You only need to look at how Twitter users 
with an axe to grind gang up to send in malicious reports about some other 
Twitter they don't like, which trips Twitter's "lots of reports => autoban" 
logic, to see how that would end if you started applying it to Internet 
abuse reporting. 

Finally, because nobody is ever convinced by rhetoric, here's an appeal to 
your self-interest: "crying wolf" is never a good idea. In the event that 
you *do* have a real problem that needs to be dealt with some time in the 
future, do you want to have your e-mail address, IP address, and whatever 
else associated with a thousand previous GWF ("goober with firewall") 
reports? Any abuse desk who has seen your hundreds of previous unactionable 
reports will almost certainly round-file that important one, and then you're 
*really* up the creek sans paddle. Far better to keep your powder dry and 
be ready for when you actually need assistance from whoever you're 

- Matt 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200429/01a7a381/attachment.html>

More information about the NANOG mailing list