[57387] in North American Network Operators' Group
RE: Abuse.cc ???
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Fri Apr 4 22:52:11 2003
Date: Fri, 4 Apr 2003 22:51:27 -0500
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: "Simon Lyall" <simon.lyall@ihug.co.nz>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
I tell ya, what really gets me in a bad mood is when my PIX logs=20
show the same IP address hitting port 80 on 25 different IP's
and the time line is 2 seconds start to finish.
And then you report it, and it continues after a week every single day.
Substitute port 80 here with 1433, 139,135, and on and on..
When a Syslog trap with a NTP sync time base and the entire log is not =
good
enough, I don't know what is....
Yesterday, I got word from a network operator that 50 entries was not =
sufficient.
So I parsed 4 days's worth and sent them over 1200 messages from their =
block..
have not heard back yet..
With a syslog file, sometimes an IDSLog and a Syslog.
Some ISP's either /dev/null all of it, or they can't stop their users
or politics stop 'em..
Later,
J
=20
> -----Original Message-----
> From: Simon Lyall [mailto:simon.lyall@ihug.co.nz]
> Sent: Friday, April 04, 2003 5:04 PM
> To: nanog@merit.edu
> Subject: Re: Abuse.cc ???
>=20
>=20
>=20
> On Thu, 3 Apr 2003, Gerald wrote:
> > I hate to play devil's advocate here, but I've been on the=20
> receiving end
> > of the abuse@ complaints that became unmanagable. The bulk of them
> > consisting of:
> >
> > "Your user at x.x.x.x attacked me!" (And this is sometimes the
> > nameserver:53 or mailserver:113)
>=20
> We added this to the auto-reply of our abuse@ address:
>=20
> --- cut - here ----
>=20
> For complaints of port scanning or supposed hacking attempts,
> complete logs of the abuse are required. At a minimum, a log
> of abuse contains the time (including time zone) it happened,
> the hosts/ips involved and the ports involved.
>=20
> Please note that we received a large number of false=20
> complaints from people
> using personal firewall programs regarding port scanning. If you are
> submitting a complaint based on the logs from one of these=20
> programs we
> highly suggest you to read the following:
>=20
> http://www.samspade.org/d/persfire.html AND
> http://www.samspade.org/d/firewalls.html
>=20
> --- cut - here ----
>=20
> The abuse guys concentrate on spam reports, open-relay reports and
> sometimes port scanning reports from proper admins (these are easy to
> spot). Junk from dshield.org and the like is pushed to the=20
> bottom of the
> priority list. There are just too many random packets flying=20
> about for the
> personal firewall reports to be useful.
>=20
> The other problem is it's hard to act against a client based=20
> on one packet
> received by some person on the other side of the world=20
> running a program
> they don't understand. At least with spam reports you'll get several
> independant reports with full headers and if they use our=20
> servers we'll
> even have our own logs.
>=20
> --=20
> Simon Lyall. | Newsmaster | Work:=20
> simon.lyall@ihug.co.nz
> Senior Network/System Admin | Postmaster | Home:=20
> simon@darkmere.gen.nz
> Ihug Ltd, Auckland, NZ | Asst Doorman | Web:=20
http://www.darkmere.gen.nz
