North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: abusereporting (was Re: Monumentous task of making a list)

  • From: Stephen Gill
  • Date: Sun Feb 08 12:29:49 2004

Hi Mikael,

Aside from the standardization issue, some of the problems with reports as
they stand are that they can be routed to the wrong people, there is no
clear way of verifying the authenticity of the data, and the sheer number of
reports can inundate a given abuse helpdesk such that they are tempted not
to take any action at all.

Having a standardized report format is a great idea.  In our experience
information needs to come from a trusted source or people are less likely to
act on the information provided.  We've also found it helpful to submit the
reports to the ASN maintainers (ISPs) using real-time BGP routing table
information to determine who is responsible for a given netblock rather than
relying on archaic whois data.  The reports are also rolled up into concise
summaries where possible so as not to inundate AS maintainers with
unnecessary data.

If you'd like to quickly determine who is routing a given IP address, you
can send your queries to the CYMRU whois server.  More information about it
can be found here:

Members of NSP-SEC receive reports on a weekly or ad-hoc basis summarizing
what others are seeing emanating from their networks.  The reports are in
turn processed by many, such that ISPs can alert their own customers and
downstreams of potential problems.  A summary of what types of reports are
submitted can be found here:

We agree that having a timestamp is crucial to problem resolution, most
preferably in GMT.  We accompany all IP numbers with an ASN which is used to
route the report to the appropriate network boundary.  All reports receive a
context quantifying and providing a scope around the data.

Steve, for Team Cymru.

Date: Sun, 8 Feb 2004 10:43:11 +0100 (CET)
From: Mikael Abrahamsson <[email protected]>
Subject: abusereporting (was Re: Monumentous task of making a list)

On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:

> The problem with trojans etc is that there so damn many of them, so the 
> less time spent actually tracking down the user who was on IP X at time 
> Y, the better it is for the ISP's staffers who handle complaints about 
> these.

I have asked about this before. Wouldnt it be very nice if there was a 
standardized way to report IP-number and timestamp and type of complaint?

I've seen something produced by some workgroup (RIPE?) but that was a huge 
document about XML and it seemed non-trivial to implement. I was more into 
the idea of having basically email headers like:

X-ABUSEREPORT-DATE: <unix timestamp>
X-ABUSEREPORT-TYPE: <spam|abuse|ddos|other>

This should make it trivial for most automated tools to append this 
(spambouncer etc) and make it much easier for the abuse system to do a 
user lookup before presenting the abuse email to the handler, even 
providing the user email address so the handler can take action.

- -- 
Mikael Abrahamsson    email: [email protected]