nanog mailing list archives

Re: PlayStationNetwork blocking of CGNAT public addresses


From: Simon Lockhart <simon () slimey org>
Date: Sun, 18 Sep 2016 16:26:43 +0100

On Sun Sep 18, 2016 at 05:17:33PM +0200, Florian Weimer wrote:
Okay, then perhaps my guess of the ISP involved is wrong.

It's not hard to find out who I work for :)
 
Out of curiosity, how common is end-to-end reporting of
source/destination port information (in addition to source IP
addresses and destination IP addresses)?  Have the anti-abuse
mechanisms finalyl caught on with CGNAT, or is it possible that the
PSN operator themselves do not have such detailed data?

99.99% of abuse reports we receive contain the information, but that's because
99.99% of abuse reports we receive are from the 'copyright police', and their
tools capture and include it in the reports.

Once you discard that 99.99%, and are left with the stuff that is worthy of
manual investigation, I'd say that almost all of it only contains timestamp and
source IP. Sometimes it'll also contain destination IP (so we can take a best
guess based on netflow data), and very occasionally it'll also contain source
port information.

I'd say the same also applies to requests for information that we receive from
law enforcement agencies. In most cases, they're working from weblogs, and I'd
be tempted to say that most webservers' 'out of the box' configuration does not
log source port, only source IP in the web access logs.

Simon


Current thread: