Abuse Desks

Mike Hammett nanog at ics-il.net
Thu Apr 30 12:05:58 UTC 2020


Centralized logging and run the analysis on the aggregate. You're more likely to catch them that way. No, it isn't guaranteed, but it's easier. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Hal Murray" <hgm+nanog at ip-64-139-1-69.sjc.megapath.net> 
To: nanog at nanog.org 
Cc: "Hal Murray" <hgm+nanog at ip-64-139-1-69.sjc.megapath.net> 
Sent: Thursday, April 30, 2020 2:59:43 AM 
Subject: Re: Abuse Desks 


Mike Hammett said: 
> IMO, the answer is balance. 
> - Handful of SSH connection attempts against a server. Nobody got in, 
> security hardening did it's job. I don't think that is worth reporting. - 
> Constant brute force SSH attempts from a given source over an extended period 
> of time, or a clear pattern of probing, yes, report that. 

The bad guys have already gamed that system. If you have a zillion bots, you 
can have each bot try a different name/password on a large batch of IP 
Addresses. A victim only sees one try from each bot. 

The daily logwatch reports that land in my mailbox are full of ssh attempts 
that end with ": 1 Time". 

----------- 

Matt Corallo said: 
> I'm open to ideas on what to do here, but the abuse system as it exists today 
> is clearly broken for me, and its clearly broken for AWS/GCP/Azure/OVH/etc - 
> have you ever tried emailing their registered abuse contacts? I have, the 
> problem doesn't go away and there are no responses. 

> especially given most of the real crap out there comes from hosting providers 
> like the above who don't have the bandwidth to respond. 

"don't have the bandwidth" is an interesting term. Is that because the 
problem is really hard and it would take a lot of bandwidth/money/whatever, or 
because they choose not to spend money on it and the rest of the net is 
letting them get away with it? 

---------- 

Tom Beecher said: 
> Abuse departments should be properly handling LEGITIMATE abuse complaints. 
> Not crufty background noise traffic that is never going away. 

Agreed. But the abuse desk is the only place where somebody can find the 
signal in the noise, and with the current pattern, much of the signal is 
trying to hide in the noise. The abuse desk will only see the signal if 
people actually send in abuse reports and the abuse desk actually looks at 
them. 

---------- 

Laszlo Hanyecz said: 
> A lot of this other stuff is just people abusing the abuse contacts to get 
> someone else taken offline. Phishing websites fall into this category - 
> it's not network abuse, it's just content someone doesn't like, and one way 
> to get it taken down is to threaten the network that carries the traffic for 
> it. 

I don't report phishing websites unless somebody spams me with the URL. 


-- 
These are my opinions. I hate spam. 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200430/03707e8b/attachment.html>


More information about the NANOG mailing list