I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish. And then you report it, and it continues after a week every single day. Substitute port 80 here with 1433, 139,135, and on and on.. When a Syslog trap with a NTP sync time base and the entire log is not good enough, I don't know what is.... Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet.. With a syslog file, sometimes an IDSLog and a Syslog. Some ISP's either /dev/null all of it, or they can't stop their users or politics stop 'em.. Later, J
-----Original Message----- From: Simon Lyall [mailto:simon.lyall@ihug.co.nz] Sent: Friday, April 04, 2003 5:04 PM To: nanog@merit.edu Subject: Re: Abuse.cc ???
On Thu, 3 Apr 2003, Gerald wrote:
I hate to play devil's advocate here, but I've been on the receiving end of the abuse@ complaints that became unmanagable. The bulk of them consisting of:
"Your user at x.x.x.x attacked me!" (And this is sometimes the nameserver:53 or mailserver:113)
We added this to the auto-reply of our abuse@ address:
--- cut - here ----
For complaints of port scanning or supposed hacking attempts, complete logs of the abuse are required. At a minimum, a log of abuse contains the time (including time zone) it happened, the hosts/ips involved and the ports involved.
Please note that we received a large number of false complaints from people using personal firewall programs regarding port scanning. If you are submitting a complaint based on the logs from one of these programs we highly suggest you to read the following:
http://www.samspade.org/d/persfire.html AND http://www.samspade.org/d/firewalls.html
--- cut - here ----
The abuse guys concentrate on spam reports, open-relay reports and sometimes port scanning reports from proper admins (these are easy to spot). Junk from dshield.org and the like is pushed to the bottom of the priority list. There are just too many random packets flying about for the personal firewall reports to be useful.
The other problem is it's hard to act against a client based on one packet received by some person on the other side of the world running a program they don't understand. At least with spam reports you'll get several independant reports with full headers and if they use our servers we'll even have our own logs.
-- Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz