[166808] in North American Network Operators' Group
Re: Automatic abuse reports
daemon@ATHENA.MIT.EDU (Sam Moats)
Tue Nov 12 16:54:15 2013
To: <nanog@nanog.org>
Date: Tue, 12 Nov 2013 16:52:05 -0500
From: Sam Moats <sam@circlenet.us>
Mail-Reply-To: <sam@circlenet.us>
In-Reply-To: <Pine.LNX.4.64.1311122255060.7242@crisp>
Reply-To: sam@circlenet.us
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We used to use a small perl script called tattle that would parse out
the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits,
lookup the proper abuse contacts and report them. I haven't seen
anything similar in years but it would be interesting to do more than
null route IPs.
The problem we had with the automated reporting was dealing with
spoofed sources, we see lots of traffic that is obviously hostile but
unless it becomes serious enough to impact performance we rarely report
it. An automated system didn't seem to fit anymore due to false
positives.
A number of providers who aren't exactly interested in the overall good
health of the net do a poor job of network ingress filtering that unless
I closely examine the traffic and it's origins. Without being able to
trust the source address information in the DDOS traffic I run the risk
of crying wolf to a provider who is just as much a victim as I am.
(Think of my ACK packets piling in his network in response to the bogus
SYN packets I'm getting). So we reserve complaints for when there is an
actual impact and try to keep the signal to noise ratio in our reports
decent.
I'm not really happy with this approach and I'm open to ideas!
Thanks
Sam Moats
On 2013-11-12 16:58, Jonas Björklund wrote:
> Hello,
>
> We got often abuse reports on hosts that has been involved in DDOS
> attacks.
> We contact the owner of the host help them fix the problem.
>
> I also would like to start send these abuse report to the ISP of the
> source.
>
> Are there any avaliable tools for this? Is there any plugin for
> nfsen?
>
> Do I need to write my own scripts for this?
>
> /Jonas
