North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Abuse.cc ???
I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish. And then you report it, and it continues after a week every single day. Substitute port 80 here with 1433, 139,135, and on and on.. When a Syslog trap with a NTP sync time base and the entire log is not good enough, I don't know what is.... Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet.. With a syslog file, sometimes an IDSLog and a Syslog. Some ISP's either /dev/null all of it, or they can't stop their users or politics stop 'em.. Later, J > -----Original Message----- > From: Simon Lyall [mailto:[email protected]] > Sent: Friday, April 04, 2003 5:04 PM > To: [email protected] > Subject: Re: Abuse.cc ??? > > > > On Thu, 3 Apr 2003, Gerald wrote: > > I hate to play devil's advocate here, but I've been on the > receiving end > > of the [email protected] complaints that became unmanagable. The bulk of them > > consisting of: > > > > "Your user at x.x.x.x attacked me!" (And this is sometimes the > > nameserver:53 or mailserver:113) > > We added this to the auto-reply of our [email protected] address: > > --- cut - here ---- > > For complaints of port scanning or supposed hacking attempts, > complete logs of the abuse are required. At a minimum, a log > of abuse contains the time (including time zone) it happened, > the hosts/ips involved and the ports involved. > > Please note that we received a large number of false > complaints from people > using personal firewall programs regarding port scanning. If you are > submitting a complaint based on the logs from one of these > programs we > highly suggest you to read the following: > > http://www.samspade.org/d/persfire.html AND > http://www.samspade.org/d/firewalls.html > > --- cut - here ---- > > The abuse guys concentrate on spam reports, open-relay reports and > sometimes port scanning reports from proper admins (these are easy to > spot). Junk from dshield.org and the like is pushed to the > bottom of the > priority list. There are just too many random packets flying > about for the > personal firewall reports to be useful. > > The other problem is it's hard to act against a client based > on one packet > received by some person on the other side of the world > running a program > they don't understand. At least with spam reports you'll get several > independant reports with full headers and if they use our > servers we'll > even have our own logs. > > -- > Simon Lyall. | Newsmaster | Work: > [email protected] > Senior Network/System Admin | Postmaster | Home: > [email protected] > Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
|