Re: abuse reporting tools

[Jimmy Hess <mysidia () gmail com>]

On Tue, Nov 18, 2014 at 7:41 PM, Robert Drake <rdrake () direcpath com> wrote:
> On 11/18/2014 8:11 PM, Michael Brown wrote:
[snip]
> amelioration.  So I'm left with a very unsatisfactory feeling of either
> shutting down a possibly innocent customer based on a machines word, or
> attempting to start a dialog with random_script_user_99 () hotmail com.

Under those circumstances,  how do you know it's not a
social-engineering based DoS being attempted?   Preferably,  take no
action to shutdown services without decent confirmation;  as malicious
reports of a fraudulent, bogus, dramatized, or otherwise misleading
nature are sometimes used by malicious actors  to target a legitimate
user.

My suggestion would be table the report of a single SSH connection and
really do nothing with it.    If there is actually abuse being
conducted, you should either be able to independently verify the
actual abuse, e.g.  by checking packet level data or netflow data,
or  you should begin to receive a pattern of complaints;  more unique
contacts,  that you can investigate and verify are legit. contacts
from unique networks.

If neither occurs, then just keep a log as an unconfirmed abuse
report,   which if unconfirmed for a few days may be forwarded to the
end user  for their information/records.

-- 
-JH
> Robert