Re: Reporting Abuse tips?

[Chris Lyon <cslyon () gmail com>]

So we have issues all the time and only about 1/2 of them we end up
reporting. We do end up blocking these hosts so reporting is almost
pointless but when they are unblocked and they keep doing it, then we
report.

Keep in mind that the 1/2 isn't all the issues that we see, it is only
the targeted attacks against specific systems. We get people trying to
brute force servers all the time and these hosts come and go. To
report something that will disappear in a few hours is a waste of
everybody's time. So your example below wouldn't be something that we
would report but it really depends upon what you consider to be bad
and an outright attack.

So back to your question: we do the usual whois and find the abuse
email address. We typically report to all the abuse emails in the
whois chain including the last one. We have never called because we
can mitigate the affect of an attack.

So here is a sample of the email sent (below), the more details the
better but I would keep the summary pretty generic but to the point.
We find that only a small set of providers will take action against
these hosts. Mostly just blocking them internally from what we
understand.

<sample>
Email Subject is:  abuse report for host -> XX.XX.XX.XX

Email Body:
Below is an abuse report for host XX.XX.XX.XX which shows to belong to
<domain / record>. We are requesting that action be taken against this
host.

This host is actively scanning our network XXX.XXX.XXX.XX in <Insert
Data Center>. <Description of the Attack>. <Rate of the Attack> The
details are below with my contact information.

<Security Eng Name>
Mozilla Security Operations
<Contact Information>

----Details/Logs----
<insert proof of attack>

-Chris


On Tue, May 4, 2010 at 7:21 AM,  <dynetworks () hotmail com> wrote:
> Hello group!
>
> I’ve already read some things around the net-but wanted some real answers from people that have had to do it.
>
> Relating to incident response, how do you usually contact an offending host?  And when you do, what do you usually 
> say/not say?  Now I know you’re thinking “Well that depends on what’s happening!!”…
>
> So I’ll give you one example to reply with (and you’re free to run with more):
>
> I check logs for a few different clients and one had strange activity over the weekend.  A lot of Active Directory 
> query attempts as well as VNC attempts, RDP attempts, and other various queries (all denied).  Basically it was a 
> very thorough ‘scan’ but I could see some intelligence on the other side.  No need to go into depth on that…yes, it 
> ‘could’ have been a well designed script, but I’d rather not debate about that honestly.  This went on for about an 
> hour on Saturday morning, again at night, and for a few hours on Sunday.  It all came from one IP address.  After 
> some more forensics, this same IP has done some pings, port scans in the past.  I didn’t consider this an incident, 
> considering it’s the internet after all.
>
> The IP address is from America - so I’m personally willing to devote some time into notifying the host and trying to 
> make sure it doesn’t happen again.  I checked with the customer and they have never heard of this person/company.
>
> Now that we’ve got some context – I have an email and phone number.  How would you proceed?
>
> Thanks for any tips in advance!
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------