nanog mailing list archives
Re: Automatic abuse reports
From: Sam Moats <sam () circlenet us>
Date: Tue, 12 Nov 2013 16:52:05 -0500
We used to use a small perl script called tattle that would parse out the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup the proper abuse contacts and report them. I haven't seen anything similar in years but it would be interesting to do more than null route IPs.
The problem we had with the automated reporting was dealing with spoofed sources, we see lots of traffic that is obviously hostile but unless it becomes serious enough to impact performance we rarely report it. An automated system didn't seem to fit anymore due to false positives.
A number of providers who aren't exactly interested in the overall good health of the net do a poor job of network ingress filtering that unless I closely examine the traffic and it's origins. Without being able to trust the source address information in the DDOS traffic I run the risk of crying wolf to a provider who is just as much a victim as I am. (Think of my ACK packets piling in his network in response to the bogus SYN packets I'm getting). So we reserve complaints for when there is an actual impact and try to keep the signal to noise ratio in our reports decent.
I'm not really happy with this approach and I'm open to ideas! Thanks Sam Moats On 2013-11-12 16:58, Jonas Björklund wrote:
Hello,We got often abuse reports on hosts that has been involved in DDOS attacks.We contact the owner of the host help them fix the problem.I also would like to start send these abuse report to the ISP of the source.Are there any avaliable tools for this? Is there any plugin for nfsen?Do I need to write my own scripts for this? /Jonas
Current thread:
- Automatic abuse reports Jonas Björklund (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- Re: Automatic abuse reports Daniël W . Crompton (Nov 12)
- Re: Automatic abuse reports William Herrin (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- Re: Automatic abuse reports William Herrin (Nov 12)
- Re: Automatic abuse reports Brandon Galbraith (Nov 12)
- Re: Automatic abuse reports joel jaeggli (Nov 12)
- Re: Automatic abuse reports Sam Moats (Nov 12)
- <Possible follow-ups>
- Re: Automatic abuse reports Hal Murray (Nov 12)