[67326] in North American Network Operators' Group
Re: abusereporting
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Sun Feb 8 06:01:44 2004
To: nanog@nanog.org
Cc: swmike@swm.pp.se (Mikael Abrahamsson)
From: suresh@outblaze.com (Suresh Ramasubramanian)
Date: Sun, 08 Feb 2004 16:30:56 +0530
In-Reply-To: <Pine.LNX.4.44.0402081037470.7997-100000@uplift.swm.pp.se> (Mikael
Abrahamsson's message of "Sun, 8 Feb 2004 10:43:11 +0100 (CET)")
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "Mikael" == Mikael Abrahamsson <swmike@swm.pp.se> writes:
Mikael> On Sun, 8 Feb 2004, Suresh Ramasubramanian wrote:
Mikael> I have asked about this before. Wouldnt it be very nice if
Mikael> there was a standardized way to report IP-number and
Mikael> timestamp and type of complaint?
There isn't one yet.
Some people are trying to put together a simplistic looking BCP -
http://www.tmisnet.com/~strads/spam/bcp.html
Mikael> I've seen something produced by some workgroup (RIPE?) but
Mikael> that was a huge document about XML and it seemed
Mikael> non-trivial to implement. I was more into the idea of
Mikael> having basically email headers like:
There is a RIPE WG on spam (I think chaired by Rodney Tillotson from
JANET/CERT). But I don't recall something like this being proposed
.. and XML is a rather unruly beast to manage, especially for joe
user.
Your idea of headers might work - or something on the lines of send-pr
on *bsd. All that the NOC staff receiving it would require is that it
stays simple, without stuff like :
Frenzied abuse
Screenshots from fancy IDS / software firewall products
Long lectures on why spam / DDoS / other network abuse is bad
A short two or three line summary of the issue, accurate timestamps
and a set of excerpts from your logs (not a whole lot, just enough to
make the situation obvious) should be enough.
Another big help is giving the NOC access to a good ticketing system
which understands the difference between customer support and net
abuse handling (here, your customers are the problems, for starters).
RT3 has a lot of code (courtesy Paul Vixie and the other people at
MAPS who were hacking on it) - but there's a nice new product called
Abacus - http://word-to-the-wise.com/abacus that looks promising.
srs
