Re: Abuse Desks

[Matt Corallo via NANOG <nanog () nanog org>]

I don't think anyone in this thread meant to suggest that there is no reason to be concerned about such scans, as you
point out they are occasionally compromised hosts and the like. The real question here is what is the cost of sending
all that mail?

The abuse system as it exists today is largely useless - why do you think we so regularly see posts on NANOG asking for
introductions to a given network? If you've tried to actually get a hold of someone to address abuse at
AWS/GCP/OVH/Azure/etc/etc I'm sure you're aware that, more often than not, you just can't. For at least a few of those,
this isn't because they don't care, its because 99% of the mails to their abuse contacts are things that don't make
sense to take action on (see other comments in this thread for a million reasons why not).

Nothing wrong with just using fail2ban for its intended purpose - banning IPs that fail logins, but using it to send
mail to abuse leaves us in a world without an abuse system.

Matt

On 4/29/20 4:51 PM, Denys Fedoryshchenko wrote:
> On 2020-04-28 18:57, Mike Hammett wrote:
> > I noticed over the weekend that a Fail2Ban instance's complain
> > function wasn't working. I fixed it. I've noticed a few things:
> >
> > 1) Abusix likes to return RIR abuse contact information. The vast
> > majority are LACNIC, but it also has kicked back a couple for APNIC
> > and ARIN. When I look up the compromised IP address in Abusix via the
> > CLI, the APNIC and ARIN ones return both ISP contact information and
> > RIR information. When I look them up on the RIR's whois, it just shows
> > the ISP abuse information. Weird, but so rare it's probably just an
> > anomaly. However, almost everything I see in LACNIC's region is
> > returned with only the LACNIC abuse information when the ones I've
> > checked on LACNIC's whois list valid abuse information for that
> > prefix. Can anyone confirm they've seen similar behavior out of
> > Abusix? I reached out to them, but haven't heard back.
> > 2) Digital Ocean hits my radar far more than any other entity.
> > 3) Azure shows up a lot less than GCP or AWS, which are about similar
> > to each other.
> > 4) Around 5% respond saying it's been addressed (or why it's not in
> > the event of security researchers) within a couple hours. The rest I
> > don't know. I've had a mix of small and large entities in that
> > response.
> > 5) HostGator seems to have an autoresponder (due to a 1 minute
> > response) that just indicates that you sent nothing actionable,
> > despite the report including the relevant log file entries.
> > 6) Charter seems to have someone actually looking at it as it took
> > them 16 - 17 hours to respond, but they say they don't have enough
> > information to act on, requesting relevant log file entries...  which
> > were provided in the initial report and are even included in their
> > response. They request relevant log file entries with the date, time,
> > timezone, etc. all in the body in plain text, which was delivered.
> > 7) The LACNIC region has about 1/3 of my reports.
> >
> > Do these mirror others' observations with security issues and how
> > abuse desks respond?
>
> Although many people write here - no need to worry about such minor things, i strongly disagree.
>
> If someone littering server ssh logs for an hour, most likely on the other side:
> 1) A botnet-infected computer that needs to be fixed. Today ssh bruteforce,
> tomorrow spam and hosting scam and very real financial losses for some people.
> 2) A hacker who is looking for an easy target. If he succeed, law enforcement
> will come to you tomorrow and might waste lot of your time. And sometimes it’s
> some kid who, possibly will get an early warning, will not break his life by getting
> a criminal term.
>
> And how to fight with lazy operators who start differentiate on abuse, which is worth their
> majestic attention.
> I send proper abuse reports if there is no reaction to them - I make a null route of incoming SYN
> requests on all my servers, and sometimes i share an IP list with other operators who want to live
> in a "clean" internet, and not in a garbage dump.
> I have several resources hosted, so at the end techies of those "majestic ISPs" come with tears,
> when their customers start to torture their support and sales, and beg to be unlocked and
> most start to read abuse mailbox.
> Or they just lose customers.