Re: How to cope with, uhm, "mentally challenged" abuse personnel?

[Justin Shore <macdaddy () NEO PITTSTATE EDU>]

On 3/6/01 5:18 AM Ralf G. R. Bergs said...

> On Sat, 3 Mar 2001 15:07:43 -0600, Blake Frantz wrote:
>
> > A UU.net *router* was
> > trying to communicate with one of our core routers via TCP on a wide range
> > of arbitraty ports.  When asked, UU.net responded with "The type of
> > internet traffic you describe appears to be of normal origin." and
> > referred me to RFC 792 (ICMP) - I almost fell off my chair.  None the
>
> This is the same thing they *always* do to me, and most scans I need to
> report
> are RPC and FTP scans.
>
> > less, after we recieved their response the activity stopped.  Purhaps this
> > is the same in your case, a first level abuse manager sends out a generic
> > email to passify wouldbe admins and escalates the incident.  Just a
> > thought.
>
> *Sometimes* the activity stopped, but I had some cases where the activity
> went
> on for days, so I had to black-hole that subnet. But that can't be an optimal
> solution, don't you agree? I can't start to blackhole everyone, because
> some day
> I hamper my users in their work... :-(

I've had to report probes to UUnet before.  The best method I found was
to first send the standard email with all the neccessary info (logs,
description of the problem, etc...), wait 10 minutes, and then call them.
 I reference the email I sent and say that the problem is continuous and
ask for a resolution.  I usually have pretty good luck with that method.
Probes from UUnet are almost as common as spam from UUnet. :(

Justin


--
Justin Shore, ES                Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.