I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish. And then you report it, and it continues after a week every single day. Substitute port 80 here with 1433, 139,135, and on and on.. When a Syslog trap with a NTP sync time base and the entire log is not good enough, I don't know what is.... Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet.. With a syslog file, sometimes an IDSLog and a Syslog. Some ISP's either /dev/null all of it, or they can't stop their users or politics stop 'em.. Later, J
-----Original Message----- From: Simon Lyall [mailto:simon.lyall@ihug.co.nz] Sent: Friday, April 04, 2003 5:04 PM To: nanog@merit.edu Subject: Re: Abuse.cc ???
On Thu, 3 Apr 2003, Gerald wrote:
I hate to play devil's advocate here, but I've been on the receiving end of the abuse@ complaints that became unmanagable. The bulk of them consisting of:
"Your user at x.x.x.x attacked me!" (And this is sometimes the nameserver:53 or mailserver:113)
We added this to the auto-reply of our abuse@ address:
--- cut - here ----
For complaints of port scanning or supposed hacking attempts, complete logs of the abuse are required. At a minimum, a log of abuse contains the time (including time zone) it happened, the hosts/ips involved and the ports involved.
Please note that we received a large number of false complaints from people using personal firewall programs regarding port scanning. If you are submitting a complaint based on the logs from one of these programs we highly suggest you to read the following:
http://www.samspade.org/d/persfire.html AND http://www.samspade.org/d/firewalls.html
--- cut - here ----
The abuse guys concentrate on spam reports, open-relay reports and sometimes port scanning reports from proper admins (these are easy to spot). Junk from dshield.org and the like is pushed to the bottom of the priority list. There are just too many random packets flying about for the personal firewall reports to be useful.
The other problem is it's hard to act against a client based on one packet received by some person on the other side of the world running a program they don't understand. At least with spam reports you'll get several independant reports with full headers and if they use our servers we'll even have our own logs.
-- Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
On Fri, 4 Apr 2003, McBurnett, Jim wrote:
Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet..
I love the operators who deny the ip block belongs to them, so you send them back a whois with the appropriate bits underlined. This happens a *lot* with tier1's, who really should know better.
Some ISP's either /dev/null all of it, or they can't stop their users or politics stop 'em..
With a lot of providers the official policy is to let the user do whatever they want as long as the check doesnt bounce and as long as a police officer doesnt arrive on the doorstep with a subpoena. But boy do they make a stink when people blackhole them! -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
McBurnett, Jim wrote:
I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish.
Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet..
Well, if you find out, let me know. On Apr 2 we had (among others): 101233 hits on 445 from 203 sources, 43465 hits on 139 from 218 sources, 14399 hits on 80 from 1922 sources, 12106 hits on 21 from 6 sources, etc. And we would barely qualify as a "small" operation... Then we have the nutcases than scan a dozen or so proxy ports per host on a /17 netblock (APNIC source space, usually). Unless its a DoS and in the millions, I wonder how many outfits still give a flying fornication at a cyclically motivated glazed pastry anymore. Jeff
On Fri, Apr 04, 2003 at 10:51:27PM -0500, McBurnett, Jim wrote:
I tell ya, what really gets me in a bad mood is when my PIX logs show the same IP address hitting port 80 on 25 different IP's and the time line is 2 seconds start to finish. And then you report it, and it continues after a week every single day. Substitute port 80 here with 1433, 139,135, and on and on.. When a Syslog trap with a NTP sync time base and the entire log is not good enough, I don't know what is.... Yesterday, I got word from a network operator that 50 entries was not sufficient. So I parsed 4 days's worth and sent them over 1200 messages from their block.. have not heard back yet..
How was this traffic causing harm to your network? I'd rather have them dealing with people actively breaking into systems, DoS'ing, etc than terminating some customer who's probably infected with the latest microsoft worm.
Later, J
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
Matthew S. Hallacy wrote:
How was this traffic causing harm to your network? I'd rather have them dealing with people actively breaking into systems, DoS'ing, etc than terminating some customer who's probably infected with the latest microsoft worm.
Worm control is important. If we let them run rampant, then they will build up to a critical mass and become DOS quality. One of my transit customers was ignoring the worm reports I was sending him. Interesting enough, he DOS'd his own routers as several of the people infected were behind NAT generating 11,000 connections in less than a minute. Ever seen a C3640 with 11,000 NAT translations? In this case, it's a customer that didn't have high end equipment. If he'd had high end equipment, then others would suffer the performance hit, not to mention extra noise making it harder to detect purposeful scans and attacks. Some worms, like Code Red, cause a DOS on web enabled equipment as well. The F variant, for example, will shut down Net2Net dslams, some cisco equipement, and I'm sure a lot of other things. -Jack
participants (5)
-
Dan Hollis
-
Jack Bates
-
Jeff Kell
-
Matthew S. Hallacy
-
McBurnett, Jim