Re: Abuse Desks

[Tom Beecher <beecher () beecher cc>]

IMO, the answer is balance.

- Handful of SSH connection attempts against a server. Nobody got in,
security hardening did it's job. I don't think that is worth reporting.
- Constant brute force SSH attempts from a given source over an extended
period of time, or a clear pattern of probing, yes, report that.

As much as some pound on the table and say there shouldn't be, there is
always going to be a level of background 'cruft' traffic between networks.
Forever. An argument was made somewhere in here that "scanning" is , by
itself, a problem. I disagree. There are many legitimate use cases for
certain types of scans, maps, etc. It's true that it sometimes can be
difficult to distinguish between a malicious scan and an innocent one.
Proposing a solution of "stop all scanning" is absolutely a baby/bathwater
angle.

I would also challenge those that say "Oh well all these companies should
have perfect flow logs and pay an army of engineers to analyze them for
these 5 specific TCP SYNs from 2 weeks ago." I would bet you probably
couldn't do that either.

On Tue, Apr 28, 2020 at 11:59 AM Mike Hammett <nanog () ics-il net> wrote:

> I noticed over the weekend that a Fail2Ban instance's complain function
> wasn't working. I fixed it. I've noticed a few things:
>
> 1) Abusix likes to return RIR abuse contact information. The vast majority
> are LACNIC, but it also has kicked back a couple for APNIC and ARIN. When I
> look up the compromised IP address in Abusix via the CLI, the APNIC and
> ARIN ones return both ISP contact information and RIR information. When I
> look them up on the RIR's whois, it just shows the ISP abuse information.
> Weird, but so rare it's probably just an anomaly. However, almost
> everything I see in LACNIC's region is returned with only the LACNIC abuse
> information when the ones I've checked on LACNIC's whois list valid abuse
> information for that prefix. Can anyone confirm they've seen similar
> behavior out of Abusix? I reached out to them, but haven't heard back.
> 2) Digital Ocean hits my radar far more than any other entity.
> 3) Azure shows up a lot less than GCP or AWS, which are about similar to
> each other.
> 4) Around 5% respond saying it's been addressed (or why it's not in the
> event of security researchers) within a couple hours. The rest I don't
> know. I've had a mix of small and large entities in that response.
> 5) HostGator seems to have an autoresponder (due to a 1 minute response)
> that just indicates that you sent nothing actionable, despite the report
> including the relevant log file entries.
> 6) Charter seems to have someone actually looking at it as it took them 16
> - 17 hours to respond, but they say they don't have enough information to
> act on, requesting relevant log file entries...  which were provided in the
> initial report and are even included in their response. They request
> relevant log file entries with the date, time, timezone, etc. all in the
> body in plain text, which was delivered.
> 7) The LACNIC region has about 1/3 of my reports.
>
>
>
> Do these mirror others' observations with security issues and how abuse
> desks respond?
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com