North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Automated Network Abuse Reporting

  • From: Stephen Perciballi
  • Date: Mon Dec 29 17:19:37 2003


Take for instance.  They aggregate logs from various sources and
send complaints to the upstream provider. This is something that would work for
you Jason.

Working for an AUP department at an ISP, we gladly accept automated complaints.
Sending the complaint downstream for investigation should be standard procedure.  
Taking action against repeated complaints (differing time stampts of course)  
after at least one warning should follow.

Forwarding the complaint either by email or by phone to your downstream
shouldn't be considered a problem.  Just don't shoot first and ask questions
later.  It's a pretty safe bet to say that something is going wrong on a
downstream network if you are getting complaints from multiple sources.

In fact, reactions seem to be split in 3.  The angry ones are the ones we get
logs about their PAT address and they freak out because null routing them would
effectively shut down their entire network.  The indifferent ones are typically
used to these problems and rectify the problem, case closed.  Finally, we
actually get customers giving us kudos because we advised them of a problem on
their network.

[Mon, Dec 29, 2003 at 12:59:09PM -0500]
Daniel Medina Inscribed these words...

>  Not wanting to be ripped to shreds here, I think it's still worthwhile 
> to alert people to, say, Slammer-infected hosts on their networks.
>  Sure, the good folks are already monitoring their networks for hosts
> sourcing things like that, and they're also the ones that will know how
> to deal with automated complaints.  The people that don't already
> monitor their networks will benefit from being alerted.
> On Mon, Dec 29, 2003 at 12:32:52PM -0500, Richard A Steenbergen wrote:
> > 
> > On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote:
> > > 
> > > if you automate abuse reporting you can basically assume that the reciver 
> > > will automate abuse handling. since that has in fact happened as far as i 
> > > can tell the probably of you automated asbuse replaies ever reaching a 
> > > human who cares or can do something about it is effecetivly zero.
> > 
> > It's difficult to sort out legitimate complaints for port scanning.
> > Consider that the vast majority of such complaints a provider receieves,
> > particularly automated ones (groan), are just flat out wrong or stupid (or
> > both).
> > 
> > For example: "Your web server is hacking my web browser on port 80", or
> > "Why are you probing me with UDP packets on port 53 from this host named
> > NS1...", but usually stated with far more capital letters, misspellings, 
> > profanity, and threats to sue or report your web server to the 
> > authorities because it dared to respond to their port 80 connection. :)
> > ...
> [snip]
> -- 
> medina


Stephen (routerg)