You don't have to dedicate a lot of resources to it. I don't envision a body scrolling through logs looking for bad things, then handwriting a strongly worded letter.
Likewise, I'd also assume a network (whether first mile or last mile) has some kind of alerting rate limit for things. If you're seeing 1k pps going to port 25 coming from one of your customers (and they aren't Microsoft, Google, MailGun, etc.), you probably ought to open a ticket with them and handle it appropriately, blocking if they're uncooperative. Adjust and expand to appropriate ports and rates. Now, if you're not managing those things and someone on the Internet notices your lack of management, then you deserve to receive abuse reports and shame. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Tom Beecher" <[email protected]> To: "North American Network Operators Group" <[email protected]> Cc: "Josh Luthman" <[email protected]>, "Mike Hammett" <[email protected]> Sent: Thursday, September 4, 2025 9:02:50 AM Subject: Re: Paging Unified Layer/AS46606 in re: NET-162-240-0-0-1 (162.240.0.0/15) Internet background radiation has existed since the day it was turned on. It will only ever increase. It's part of the price of admission when you connect to the internet at large. While annoying, playing whack a mole with every burst of stupid in logs is the absolute definition of trying to empty the ocean with a spoon. It's probably wise to focus that time on the bigger things. On Thu, Sep 4, 2025 at 9:45 AM Mike Hammett via NANOG < [email protected] > wrote: Until it isn't. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "Josh Luthman" < [email protected] > To: "North American Network Operators Group" < [email protected] > Cc: "Mike Hammett" < [email protected] > Sent: Thursday, September 4, 2025 8:43:37 AM Subject: Re: Paging Unified Layer/AS46606 in re: NET-162-240-0-0-1 ( 162.240.0.0/15 ) Why bother putting out the small fire? It's only a small fire. On Thu, Sep 4, 2025 at 9:40 AM Mike Hammett via NANOG < [email protected] > wrote: and yet just being okay with background radiation only encourages the background radiation to no longer just lurk in the background. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: "nanog--- via NANOG" < [email protected] > To: "North American Network Operators Group" < [email protected] > Cc: [email protected] Sent: Thursday, September 4, 2025 3:05:55 AM Subject: Re: Paging Unified Layer/AS46606 in re: NET-162-240-0-0-1 ( 162.240.0.0/15 ) Who even bothers to complain about internet background radiation? Unless you're seeing a high volume or you know you have weak passwords... Otherwise there are plenty of machines out there searching for default SSH passwords. Just ignore them if they don't affect you. Many people configure SSH to run on a non-default port number to cut down on background noise. Or you can filter IPs as already suggested. Or you can know that you're using a strong authentication method and you're patched for CVE-2024-6387/6409, and leave it be. Please note that reporting abuse for non-incidents is itself an attack. There was an attack last year where someone sent spoofed port 22 SYN packets from IP addresses of Tor relays, resulting in a flood of trigger-happy "security" companies writing abuse emails to hosts of Tor relays who weren't involved, risking taking down large parts of the Tor network. On 4 September 2025 03:16:17 CEST, Rich Kulawiec via NANOG < [email protected] > wrote: >Who puts a quota on an abuse mailbox...and then allows that quote to >be reached? > >> Date: Tue, 2 Sep 2025 12:38:24 +0000 >> >> Delivery has failed to these recipients or groups: >> >> [email protected] <mailto: [email protected] > >> The recipient's mailbox is full and can't accept messages now. Please try r= >> esending your message later, or contact the recipient directly. > >I've got nothin': my usual string of exasperated profanities has failed me. > >Anyway, y'all have attackers using various VPS instances on your network >to conduct coordinated brute-force ssh attacks, and you should make that >stop yesterday. > >Details? Logs? Yes, yes, I know, I did try to send them to you -- but >see the above for the explanation covering why you didn't receive them. > >Also: for the love of dog, fix this nonsense. > >---rsk >_______________________________________________ >NANOG mailing list > https://lists.nanog.org/archives/list/[email protected]/message/6CFCYFIP5FHUL4PBZQNOUV2SW6DNK44U/ > _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/A2ZFPUI7XEE4YHM7QJ433TWBRCLMYAYA/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/ZDCAEF7Z72EHJC3QWNFHTAPTIZ76VF6O/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/RQS3GC62R2VMDBG74NUUNN3SQVBXMIYD/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/OCQMACFBG3EPAHUGFM7LPYY7VAEP2PLB/
