Abuse Desks

Wed Apr 29 12:47:08 UTC 2020

Rich,

It’s interesting that you mention “the lesson of the 75-cent accounting error” from Cliff Stoll’s The Cuckoos Egg. Because the lesson from that account is precisely that exerting a massive human-labor-intensive effort to trace every tiny abuse signal is not worth the heavy cost — in this case, the derailing of an astronomer’s career and the infliction upon humanity of irrelevant chocolate chip cookie recipes.

An even better lesson is the comparison equation of ubiquitous low-level Internet scanning activity with astronomical Cosmic Background Radiation: a fact of life and an untraceable phenomenon of the Internet universe. Imagine if astronomers emailed the IAU every time they got a tick on their QUBIC sensors.

We live in an inflationary Internet. Exhaustively policing its CBR is a waste of time. Time better spent hardening interfaces — or eliminating them using established technologies such as VPN and TLS everywhere. Any network operator getting fail2ban reports from public IPs needs to overhaul his network, not spam the rest of us with automated abuse reports.

I mean, what lazy, cheap, incompetent, unprofessional sysadmin leaves SSH ports open to the pubic Internet?  :)

 -mel beckman

On Apr 29, 2020, at 4:56 AM, Rich Kulawiec <rsk at gsp.org> wrote:

On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote:
Please don't use this kind of crap to send automated "we received 3 login attempts on our SSH box..waaaaaaaaa" emails.
This is why folks don't have abuse contacts that are responsive to real issues anymore.

[ "you" = rhetorical "you", throughout ]

No, the reason that folks don't have responsive abuse contacts is that
they're some combination of:

   - lazy
   - cheap [1]
   - incompetent
   - unprofessional
   - actively supporting the abusers

A "we received 3 login attempts on our SSH box" complaint should be read,
investigated, and acted on.  It means that something is going on that
shouldn't, and so for your own sake, as well as for the well-being of
your Internet neighbors, you should find out what that is.

That "for your own sake" clause is often overlooked.  An incoming abuse
complaint is sometimes the canary in the coal mine.  Ignoring it because
it appears to be trivial at first glance is extremely foolish.

The lesson of the 75-cent accounting error is now 34 years old.  This would
be a really good time to learn from it.

You should also consider that -- thanks to the negligence and incompetence of
many abuse desks -- a lot of people simply don't bother reporting incidents
any more.  Thus what presents to you, on the surface, as "we received 3
login attempts on our SSH box" may in fact be one isolated report of
a much larger incident.  It thus requires your immediate attention, if you
want to even pretend to be a responsible, competent professional.

Incidentally, an excellent way to reduce the number of "we received 3
login attempts on our SSH box" complaints is to deal with all of them,
thus decreasing incident occurence, which will of course result in a
corresponding decrease in complaints.  An even better way is to run
your operation in such a way that you detect and deal with as many
such things as possible before anybody needs to file a complaint.
After all, if they can see the traffic arriving on their side, you can
see it leaving on yours.

---rsk

[1] I note, for example, that Charter -- which is mentioned in the
original message in this thread -- currently has a market capitalization
of 116.63 billion dollars.  Surely they could spare a tiny fraction of
that to appropriately staff a 24x7 multi-lingual abuse desk with senior
engineers and empower/equip them to do what needs to done.  That's
what a professional operation would do.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200429/993aee2f/attachment.html>