Automated Network Abuse Reporting
We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
try LogDog to act on the syslog data...it sends all syslog log files through a pipe and scans for specific data...then you can email the complete message to anyone. It can have a negative performance impact depending on the number of sustained syslog logs being generated....but I used it on a system receiving syslog logs from over 200 routers and didn't see any issues. Of course syslog-ng can also do this....but I found logdog easier to implement. Not sure how you can automate the abuse email address?? You can specify a perl script from within the logdog conf file that could do a dig on the ip address from the source address...but that's just me thinking out loud. I think you'll find many programs out there that can do this...both commercial and opensource...but you'll need to do some customization. steve On Monday 29 December 2003 09:04 am, Jason Lixfeld wrote:
We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. joelja On Mon, 29 Dec 2003, Jason Lixfeld wrote:
We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
When we get something that looks automated, we send back a reply saying "We received this, if you'd like us to take action, please have a human reply." I've been thinking of instead having them send us a cryptographic hash of their message, saying that we MUST have all such notifications validated. I'd give them the URL to some page that would provide the hash, of course. Doug On Mon, 29 Dec 2003, Joel Jaeggli wrote:
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero.
joelja
On Mon, 29 Dec 2003, Jason Lixfeld wrote:
We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Monday, December 29, 2003 11:24 AM [GMT-5=EST], Joel Jaeggli <joelja@darkwing.uoregon.edu> wrote:
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero.
Most likely, automated abuse reports will be treated like abuse reports from users with those lovely software firewalls that whine all the time that their ISP's nameserver is trying to hack them on port 53 (IE: thrown in with the rest of the reports in the round filing cabinet on the floor next to the desk). I refused to accept automated abuse reports of probes or similar when I was an ISP netadmin. Portscans/pingscans/etc are not illegal (and I've seen this sucessfully proven in court at least once). They are illegal if you use it to bring down someone's machine though. Basically, if I were you, I'd turn your firewall's sensitivity WAY down and only track events that are obviously attempts to hack. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote:
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero.
It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both). For example: "Your web server is hacking my web browser on port 80", or "Why are you probing me with UDP packets on port 53 from this host named NS1...", but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :) Things only seem to get worse when you actually try to have a halfass team of people respond to these. Usually the victim is someone who gets a syn flood from random sourced addresses, correctly responds with RSTs, and ends up being accused of port scanning due to the backscatter hitting some random military IP address. Anyone with a reasonable amount of experience should be able to look at any of the detailed packet logs and clearly see the very obvious patterns which indicate the differences between legitimate port scans, backscatter, or classic spoofed source syn floods. But they never do, even when they claim to be highly experienced and in positions of power. For many providers, getting a threatening e-mail from a government agency will result in someone being turned off, even if they have done nothing wrong. Recently I saw someone running an online gaming service who experienced this in the other direction. The attacker set his IP as the source, and directly fired off millions of packets to random destinations. Not only was their a direct DoS effect due to all the RST coming in, but over the course of 48 hours he received THOUSANDS of angry calls, many complaints to his provider, and even several death threats. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
I have, according to my ids around 400pps arriving at my home network that don't belong there. if I payed attention to all of it I'd be busy, if I generated abuse reports and fired them off it would generate a lot of noise... random portscans, dos backsplash and worm traffic don't really rise to the level that would make me want to invest my time in trying to identify and deal with the sources. joelja On Mon, 29 Dec 2003, Richard A Steenbergen wrote:
On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote:
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero.
It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both).
For example: "Your web server is hacking my web browser on port 80", or "Why are you probing me with UDP packets on port 53 from this host named NS1...", but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :)
Things only seem to get worse when you actually try to have a halfass team of people respond to these. Usually the victim is someone who gets a syn flood from random sourced addresses, correctly responds with RSTs, and ends up being accused of port scanning due to the backscatter hitting some random military IP address. Anyone with a reasonable amount of experience should be able to look at any of the detailed packet logs and clearly see the very obvious patterns which indicate the differences between legitimate port scans, backscatter, or classic spoofed source syn floods. But they never do, even when they claim to be highly experienced and in positions of power. For many providers, getting a threatening e-mail from a government agency will result in someone being turned off, even if they have done nothing wrong.
Recently I saw someone running an online gaming service who experienced this in the other direction. The attacker set his IP as the source, and directly fired off millions of packets to random destinations. Not only was their a direct DoS effect due to all the RST coming in, but over the course of 48 hours he received THOUSANDS of angry calls, many complaints to his provider, and even several death threats.
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Not wanting to be ripped to shreds here, I think it's still worthwhile to alert people to, say, Slammer-infected hosts on their networks. Sure, the good folks are already monitoring their networks for hosts sourcing things like that, and they're also the ones that will know how to deal with automated complaints. The people that don't already monitor their networks will benefit from being alerted. On Mon, Dec 29, 2003 at 12:32:52PM -0500, Richard A Steenbergen wrote:
On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote:
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero.
It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both).
For example: "Your web server is hacking my web browser on port 80", or "Why are you probing me with UDP packets on port 53 from this host named NS1...", but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :) ...
[snip] -- medina
Agreed. Take www.dshield.org for instance. They aggregate logs from various sources and send complaints to the upstream provider. This is something that would work for you Jason. Working for an AUP department at an ISP, we gladly accept automated complaints. Sending the complaint downstream for investigation should be standard procedure. Taking action against repeated complaints (differing time stampts of course) after at least one warning should follow. Forwarding the complaint either by email or by phone to your downstream shouldn't be considered a problem. Just don't shoot first and ask questions later. It's a pretty safe bet to say that something is going wrong on a downstream network if you are getting complaints from multiple sources. In fact, reactions seem to be split in 3. The angry ones are the ones we get logs about their PAT address and they freak out because null routing them would effectively shut down their entire network. The indifferent ones are typically used to these problems and rectify the problem, case closed. Finally, we actually get customers giving us kudos because we advised them of a problem on their network. [Mon, Dec 29, 2003 at 12:59:09PM -0500] Daniel Medina Inscribed these words...
Not wanting to be ripped to shreds here, I think it's still worthwhile to alert people to, say, Slammer-infected hosts on their networks.
Sure, the good folks are already monitoring their networks for hosts sourcing things like that, and they're also the ones that will know how to deal with automated complaints. The people that don't already monitor their networks will benefit from being alerted.
On Mon, Dec 29, 2003 at 12:32:52PM -0500, Richard A Steenbergen wrote:
On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote:
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero.
It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both).
For example: "Your web server is hacking my web browser on port 80", or "Why are you probing me with UDP packets on port 53 from this host named NS1...", but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :) ...
[snip]
-- medina
-- Stephen (routerg) irc.dks.ca
Jason Lixfeld wrote:
...Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
With rare exceptions, I'd say don't bother, even if you do come up with such a thing. I've actually sent off two in the past week, which is my normal total for the month (any month). One was to a machine that was agressively testing identd (and starting to annoy me) on every machine in my netblock (it's little, but it's mine). The other was more interesting. A tool that had been used to attack imap servers earlier this year has apparently been modified to hit FTP instead. The common bond is the user name "lizdy", which is only one of the multiple of names attempted. If you're curious, hit google with the words (lizdy ftp), and you'll come up with a few machines already hit by it. One of the machines that hit was an NT machine in a block that had an actual abuse dept, and I thought the owner would probably want to know. I got a nice response back, and I'd bet that it was probably taken care of. The others were also owned, but out of networks where I know that they just won't care. Pity there's no way to let the owner of the machine know, but that's just life. A "nice little FYI" will just be adding to the brownian motion of the internet as we know it today. On those rare cases where you have the time, and are sure of the target, of course, send something off. Just please don't automate it. Oh, and I no longer have an internet facing FTP server (that tool hits about 200-400 times in less than 5 seconds...really abusive). -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall
participants (9)
-
Brian Bruns
-
Daniel Medina
-
Doug Luce
-
Etaoin Shrdlu
-
Jason Lixfeld
-
Joel Jaeggli
-
Richard A Steenbergen
-
Stephen Miller
-
Stephen Perciballi