nanog mailing list archives
Re: abuse reporting tools
From: Jimmy Hess <mysidia () gmail com>
Date: Fri, 21 Nov 2014 18:58:14 -0600
On Tue, Nov 18, 2014 at 7:41 PM, Robert Drake <rdrake () direcpath com> wrote:
On 11/18/2014 8:11 PM, Michael Brown wrote:
[snip]
amelioration. So I'm left with a very unsatisfactory feeling of either shutting down a possibly innocent customer based on a machines word, or attempting to start a dialog with random_script_user_99 () hotmail com.
Under those circumstances, how do you know it's not a social-engineering based DoS being attempted? Preferably, take no action to shutdown services without decent confirmation; as malicious reports of a fraudulent, bogus, dramatized, or otherwise misleading nature are sometimes used by malicious actors to target a legitimate user. My suggestion would be table the report of a single SSH connection and really do nothing with it. If there is actually abuse being conducted, you should either be able to independently verify the actual abuse, e.g. by checking packet level data or netflow data, or you should begin to receive a pattern of complaints; more unique contacts, that you can investigate and verify are legit. contacts from unique networks. If neither occurs, then just keep a log as an unconfirmed abuse report, which if unconfirmed for a few days may be forwarded to the end user for their information/records. -- -JH
Robert
Current thread:
- abuse reporting tools Mike (Nov 18)
- Re: abuse reporting tools Michael Brown (Nov 18)
- Re: abuse reporting tools Robert Drake (Nov 18)
- Re: abuse reporting tools Jimmy Hess (Nov 21)
- RE: abuse reporting tools Drew Weaver (Nov 25)
- Re: abuse reporting tools Robert Drake (Nov 18)
- Re: abuse reporting tools Michael Brown (Nov 18)
- Re: abuse reporting tools Rafael Possamai (Nov 18)
- Re: abuse reporting tools Ken Chase (Nov 18)
- Re: abuse reporting tools John Kristoff (Nov 19)
- Re: abuse reporting tools Paul Bennett (Nov 19)
- Re: abuse reporting tools Paul Bennett (Nov 19)
- Re: abuse reporting tools Franck Martin (Nov 19)
- Re: abuse reporting tools Paul Bennett (Nov 20)
- Re: abuse reporting tools Paul Bennett (Nov 25)
- Re: abuse reporting tools Paul Bennett (Nov 19)