Re: [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers

[Richard Clayton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In message <201511181701.30630.markus.debr...@bsi.bund.de>, de =?utf-
8?q?Br=C3=BCn?=, Markus  writes

>A few remarks:
>Sources like TI or FIRST are useful if you are looking for national CERT 
>contacts. If you want to report an issue to network operators or hosting 
>providers directly, you have to use Whois information.

nope ... you could use their websites

Many hosting providers have webforms, which if used result in rapid
takedown. Indeed for many hosting companies this is pretty much the only
way of achieving rapid takedown.

I understand that the purpose of the document is to explain the issues
around "let's get hold of the abuse@ folk" but it would be considerably
more valuable if it either indicated that this was just one strategy for
dealing with abuse or at least pointed at other material that set out
the context.

The document provides the example such as "Incident reporter finds a
hacked webpage" and says

"Naturally, she will try to contact the domain owner (name-based
resource lookup) - the admin-c and possibly also the tech-c."

in practice people do indeed contact all three of these, and that can
cause significant delay as each assumes someone else has dealt with it;
and as above it may well be better to just type www.hostingcompany.tld
and click on the "report abuse" link.

My suggestion for the document would be to entirely remove what material
there is on why one might be searching for an abuse contact (since it is
inadequate and unhelpful) and leave just the substantive information
(these are the databases, this is what they contain, this is how they
are maintained).

Bottom line for me is that the problem statement says

Given the domain www.example.com, what is the best contact for
sending IT security incident notifications to?

and nothing in the rest of the document tackles the notion of "best"

So I'd commend removing sections 4 and 5 altogether.

- -- 
Dr Richard Clayton   
Director, Cambridge Cloud Cybercrime Centre  mobile: +44 (0)7887 794090
Computer Laboratory, University of Cambridge, CB3 0FD   tel: +44 (0)1223 763570


-BEGIN PGP SIGNATURE-
Version: PGPsdk version 1.7.1

iQA/AwUBVk29jOINNVchEYfiEQLL9ACfQIhpmr8Doa2YUVAvf+kIT2pK8IAAoPFM
OEwLI5XKS2mU+CDpjABG0FWY
=fpnQ
-END PGP SIGNATURE-

Re: [anti-abuse-wg] Sources of Abuse Contact Info For Abuse Handlers

[Richard Clayton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

In message <5649f74a.70...@heanet.ie>, Brian Nisbet
 writes

>At this point we would like to invite any final comments from the WG (a 
>last call of sorts) before it is published. Ideally these comments would 
>be great before the WG Session at 11:00 EET on Thursday 19th November, 
>but definitely before the end of this week.

I am concerned about the section on Geolocation -- not least because
Geolocation doesn't work all that well, especially when abuse is
occurring and the bad guys are seeking to confuse.

The section starts:

As discussed in the section "General remarks on abuse contact
lookups", some incident reports should simply go to the national
CERT. For this task, it is important to find the country code of an
IP address or a domain.

There is no further discussion of domains ... many of which don't have a
"country code" and indeed many country codes are not operated by the
relevant country (albeit if such a country had a CERT I expect they'd be
happy to take the report and would have good contacts with the relevant
people who could actually take action).

So why mention domains at all ?

Mapping IP addresses to a country and an AS works well most of the time,
but the lack of any security in BGP means that the data one obtains from
the RIRs or indeed from the "global routing table" [why is Team Cymru
mentioned and not stat.ripe.net ??] requires careful interpretation.

The suggestion of running your own copy of Quagga is a wise one, not
least because an important way of dealing with abuse when an abuse
contact cannot be found or does not respond is to deal with the company
that is providing connectivity to the dubious block of IPs -- the
routing table gives an indication (often, but not invariably, a correct
indication) who that might be

... but now we're straying into advice as to how to deal with abuse
rather than information about datasets...  the change required to the
document is a "known issues" statement about Geolocation (perhaps
shorter than this):

Maxmind -- deductions are made from other datasets and assumptions are
made that delegating a block of address space to a company in country X
means that the address space is in use in country X

Team Cymru -- this is also derived data. For country it is assumes
entire blocks are in a single country. For ASs it reports the BGP data
that Team Cymru is aware of.

Quagga -- data can require careful interpretation because of the lack of
security in BGP generally

- -- 
Dr Richard Clayton   
Director, Cambridge Cloud Cybercrime Centre  mobile: +44 (0)7887 794090
Computer Laboratory, University of Cambridge, CB3 0FD   tel: +44 (0)1223 763570


-BEGIN PGP SIGNATURE-
Version: PGPsdk version 1.7.1

iQA/AwUBVk3Bs+INNVchEYfiEQKc3ACfT7LuERV/DOfsjszwGzTqK51xgxoAoKLh
avq/5iqVytoYHxzei2/8b9tg
=qysj
-END PGP SIGNATURE-