On Sun Sep 18, 2016 at 05:17:33PM +0200, Florian Weimer wrote:
Okay, then perhaps my guess of the ISP involved is wrong.
It's not hard to find out who I work for :)
Out of curiosity, how common is end-to-end reporting of source/destination port information (in addition to source IP addresses and destination IP addresses)? Have the anti-abuse mechanisms finalyl caught on with CGNAT, or is it possible that the PSN operator themselves do not have such detailed data?
99.99% of abuse reports we receive contain the information, but that's because 99.99% of abuse reports we receive are from the 'copyright police', and their tools capture and include it in the reports. Once you discard that 99.99%, and are left with the stuff that is worthy of manual investigation, I'd say that almost all of it only contains timestamp and source IP. Sometimes it'll also contain destination IP (so we can take a best guess based on netflow data), and very occasionally it'll also contain source port information. I'd say the same also applies to requests for information that we receive from law enforcement agencies. In most cases, they're working from weblogs, and I'd be tempted to say that most webservers' 'out of the box' configuration does not log source port, only source IP in the web access logs. Simon