[173838] in North American Network Operators' Group
Re: Dealing with abuse complaints to non-existent contacts
daemon@ATHENA.MIT.EDU (Stephen Satchell)
Sun Aug 10 13:05:02 2014
X-Original-To: nanog@nanog.org
Date: Sun, 10 Aug 2014 10:04:54 -0700
From: Stephen Satchell <list@satchell.net>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <CAO8NbkRLFtdOs+6sOmEWzRpi3ONwShjPGvicnVQb46MAk+5Lnw@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 08/10/2014 08:19 AM, Gabriel Marais wrote:
> Hi Nanog
>
> I'm curious.
>
> I have been receiving some major ssh brute-force attacks coming from random
> hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint to
> the e-mail addresses obtained from a whois query on one of the IP Addresses.
>
> My e-mail bounced back from both recipients. Once being rejected by filter
> and the other because the e-mail address doesn't exist. I would have
> thought that contact details are rather important to be up to date, or not?
>
> Besides just blocking the IP range on my firewall, I was wondering what
> others would do in this case?
>
>
> Regards, Gabriel
>
I no longer try to send notices to network operators that don't publish
a working abuse mail address for the netrange assignment or the SWIP.
For the best-practices-clueless, I just round-file them when I see
attacks above a certain level. Ditto mail attacks, particularly from
netranges/servers that don't have working postmaster@ addresses or MX.
(I'm considering adding a separate network ACL for SMTP/SUBMISSION in my
mail servers, but so far all the verifiable mail abusers have had other
bad habits, too.)
From my firewall generator's "kill network" list:
116.10.191.0/24 china ssh abuser 2014 August
That entry went into the ACL six months ago, but it's only recently that
I started dating the entries.
I now have canaries (tcpwrappers, logwatch) in four systems on widely
separate IP netranges. Those systems have a virtually-everything-closed
firewall (IPTables, logwatch) and the resulting logs show where some of
the most vicious scans are coming from. PLONK!
