Abuse Desks

Joe Greco jgreco at ns.sol.net
Wed Apr 29 15:36:36 UTC 2020


On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman <muks at mukund.org> said:
> > If an abuse report is incorrect, then it is fair to complain.
> 
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
> 
> I've typoed IP/FQDN before and gotten an SSH response, and taken several
> tries before I realized my error.  Did I actually "abuse" someone's
> server?  I didn't get in, and it's hard to say that the server resources
> I used with a few failed tries were anything more than negligible.
> 
> I've had users tripped up by fail2ban because they were trying to access
> a server they don't use often and took several tries to get the password
> right or had the wrong SSH key.  Should that have triggered an abuse
> email?

So your theory is that it is necessary for there to be a threshold of
abuse?

Is there any reason to expect that a random server is going to be able
to figure out that a large pool of a million compromised IoT devices on
a million different IP addresses is slowly probing their server for the
root password and that a SPECIFIC probe is a member of this set?

The way this stuff is trending today, you don't have a single host that
is banging on another single host for hours or days at a password per
second, which I hope we would agree would be well beyond any reasonable
threshold to consider abuse.

On the flip side, is it so much to ask that an abuse desk maybe take a
look at both the ingress and egress packet stream of their customer, to 
see if there seems to be something untoward happening?

And which one of these is a less damaging strategy?

I know we're in the minority here, but policy over here at SOL hasn't 
changed much in the last quarter century.  If you are getting unwanted 
and unsolicited traffic from us, and you contact [email protected], we're willing
to make it stop.  If it didn't originate here (forged, etc) then there
isn't much to be done -- the community has been trying to encourage 
BCP38 for years.

It's probably jumping the gun a bit for a single connection attempt to
result in an [email protected] message, but then again when I look at the stream
of trash addressed at SOL's IP space, maybe not.  Some of it is clearly
trying to scan from large botnets.

There's also a lot of room for computers to be doing the hard work of
detecting and reporting, and helping to analyze, while letting a human
look at what's actually transpired and see if it feels problematic.

However, the general solution that seems to have been adopted by the
majority of the industry is to hire Dave Null for [email protected]

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov



More information about the NANOG mailing list