Hi Max,
thank you for your reply and explanations. Some more comments/
questions inline:
On Sun 03/Jul/2022 23:25:28 +0200 Max Grobecker wrote:
Am 20.06.22 um 18:04 schrieb Alessandro Vesely:
Our abuse mailbox is not overflowing with these, of course, but it
makes semi-automated handling a bit painful. For example, we would
like to forward these information to our customers, but we wont
need to take further action on this, because we refuse to break
into the offices of our customers at night and patch their software.
sorry to bother, but I hardly got that. Are these IP-driven
messages? Don't CERTs lookup the abuse address with RDAP or WHOIS?
The reports we get from CERT-BUND are highly IP focused. I cited one
of these report as an example at the end of this mail.
In general, I think these organizations we get mail from are
downloading the database from RIPE and are using an offline version.
It is very expensive. Do you think they only do European IPs, or do
they have specialized procedures for each RIR?
Perhaps RIPE provides for maintaining remote copies of the database,
but a caching RDAP tool would be more standard compliant.
Why doesn't the abuse address point (in)directly to the relevant IP
user? That is, what's wrong in automatically forwarding CERT's
security notices? I cannot understand how doing so entailS
obligations to reach the customer's premises at night.
If I point the abuse address directly to an address controlled by the
customer, I don't get any notices - regardless of security information
or real abuse.
And I'm interested in the latter one, as I want to stop the abuse, of
course ;-)
Therefore all abuse reports are handled by our internal system to be
automatically escalated to the appropriate internal and external
contacts.
What I'd be curious to know is whether automatic escalation is based
on per-customer abuse addresses or on parsing message contents looking
for IPs.
Per-customer address is something like asn65...@bc.grobecker.info or
ip192.0.2.8/2...@sc.grobecker.info, which can be forwarded to the
relevant (big or small) customer without actually opening the
messages, but still maintaining a copy of them. Doing so requires
more work for maintaining the database, but less work for forwarding
messages.
But for notices like "Oh, we think there might be a vulnerable service
reachable on that IP" we don't want that whole escalation thing.
Also, most of these notices contain a list of addresses, but
sometimes, these lists are not stable parseable because there seems to
be no standardized format.
Reports we receive from CERT-BUND come with a CSV file which we are
able to parse - but in the last months there came several new other
services with their own data formats and I suspect, there will come more.
And the CSVs refer to multiple customers?
If I could "route" these reports directly to the customer, this would
improve reporting speed and keep these away from our regular abuse
desk with escalations and all that stuff.
I understand you don't want your abuse desk to get involved in
checking whether, for example, an open DNS does in fact amplify
queries if it is open. Is that the difference between forward and
escalate?
Using a different field entails the extra burden to educate
organizations like CERT-BUND to use the appropriate reporting address
based on the kind of report.
For RDAP, those addresses could be tagged as less preferred. Some
RIRs do so, leaving the actual meaning a bit obscure, though.
Alternatively, RFC 7483 provides for a "notifications" role, which in
theory applies to an associated object.
Best
Ale
--
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
