RE: Abuse.cc ???

["McBurnett, Jim" <jmcburnett () msmgmt com>]

I tell ya, what really gets me in a bad mood is when my PIX logs 
show the same IP address hitting port 80 on 25 different IP's
and the time line is 2 seconds start to finish.
And then you report it, and it continues after a week every single day.
Substitute port 80 here with 1433, 139,135, and on and on..
When a Syslog trap with a NTP sync time base and the entire log is not good
enough, I don't know what is....
Yesterday, I got word from a network operator that 50 entries was not sufficient.
So I parsed 4 days's worth and sent them over 1200 messages from their block..
have not heard back yet..


With a syslog file, sometimes an IDSLog and a Syslog.

Some ISP's either /dev/null all of it, or they can't stop their users
or politics stop 'em..


Later,
J
 


> -----Original Message-----
> From: Simon Lyall [mailto:simon.lyall () ihug co nz]
> Sent: Friday, April 04, 2003 5:04 PM
> To: nanog () merit edu
> Subject: Re: Abuse.cc ???
>
>
>
> On Thu, 3 Apr 2003, Gerald wrote:
> > I hate to play devil's advocate here, but I've been on the 
> receiving end
> > of the abuse@ complaints that became unmanagable. The bulk of them
> > consisting of:
> >
> > "Your user at x.x.x.x attacked me!" (And this is sometimes the
> > nameserver:53 or mailserver:113)
>
> We added this to the auto-reply of our abuse@ address:
>
> --- cut - here ----
>
>   For complaints of port scanning or supposed hacking attempts,
>   complete logs of the abuse are required.  At a minimum, a log
>   of abuse contains the time (including time zone) it happened,
>   the hosts/ips involved and the ports involved.
>
>   Please note that we received a large number of false 
> complaints from people
>   using personal firewall programs regarding port scanning. If you are
>   submitting a complaint based on the logs from one of these 
> programs we
>   highly suggest you to read the following:
>
>     http://www.samspade.org/d/persfire.html  AND
>     http://www.samspade.org/d/firewalls.html
>
> --- cut - here ----
>
> The abuse guys concentrate on spam reports, open-relay reports and
> sometimes port scanning reports from proper admins (these are easy to
> spot). Junk from dshield.org and the like is pushed to the 
> bottom of the
> priority list. There are just too many random packets flying 
> about for the
> personal firewall reports to be useful.
>
> The other problem is it's hard to act against a client based 
> on one packet
> received by some person on the other side of the world 
> running a program
> they don't understand. At least with spam reports you'll get several
> independant reports with full headers and if they use our 
> servers we'll
> even have our own logs.
>
> -- 
> Simon Lyall.                |  Newsmaster  | Work: 
> simon.lyall () ihug co nz
> Senior Network/System Admin |  Postmaster  | Home: 
> simon () darkmere gen nz
> Ihug Ltd, Auckland, NZ      | Asst Doorman | Web: 
http://www.darkmere.gen.nz