Re: Automatic abuse reports

[goemon]

On Wed, 13 Nov 2013, Sam Moats wrote:
The only thing I can think of is that they are making the decisions about how 
important their abuse desk
is based solely on the cost of running that desk. They are seeing it as a 
cost center and not thinking
about it's long term benefit to the entire network. I can't think of a way to 
remove the incentive for this

short term thinking.


Spam needs to become a financial liability rather than a lucrative revenue 
stream. That's the only way this is going to change.


-Dan

Re: Automatic abuse reports

[Sam Moats]

Don't have access to a normal PC right now but I agreed with this 
approach so much that I'm typing a response on a 10 button pad.

Sam

On 2013-11-13 21:33, Jimmy Hess wrote:

On Wed, Nov 13, 2013 at 3:46 AM, Sam Moats 
wrote:

  


about its long term benefit to the entire network. I cant think of a
way to remove the incentive for this
short term thinking.


The end users can,  by inquiring  about the abuse desk, before
agreeing to sign up for service.

In this manner  "Not having a good abuse"  desk becomes a cost
center, in the form of suppressed opportunities for future revenue.

Federal entities, etc,  when soliciting for proposals from ISPs and
service providers    in addition to the  "Must have IPv6
support",

could add a line  "Must have a highly-responsive abuse desk/abuse
contact;  with 4  professional references from email or network
operators in the industry who have worked with the abuse desk";

must  aggregate and report  matters of potential abuse or complaints
 regarding subscribers  outgoing mail or IP traffic within  3 hours
on average, during business hours and within  5 hours  24x7 ...
etc...

--
-JH 

Links:
--
[1] mailto:s...@circlenet.us

Re: Automatic abuse reports

[Jimmy Hess]

On Wed, Nov 13, 2013 at 3:46 AM, Sam Moats  wrote:


> about it's long term benefit to the entire network. I can't think of a way
> to remove the incentive for this
> short term thinking.
>

The end users can,  by inquiring  about the abuse desk, before agreeing to
sign up for service.

In this manner  "Not having a good abuse"  desk becomes a cost center, in
the form of suppressed opportunities for future revenue.


Federal entities, etc,  when soliciting for proposals from ISPs and service
providersin addition to the  "Must have IPv6 support",

could add a line  "Must have a highly-responsive abuse desk/abuse contact;
 with 4  professional references from email or network operators in the
industry who have worked with the abuse desk";

must  aggregate and report  matters of potential abuse or complaints
 regarding subscriber's  outgoing mail or IP traffic within  3 hours on
average, during business hours and within  5 hours  24x7 ... etc...


--
-JH

Re: Automatic abuse reports

[Curtis, Bruce]

On Nov 12, 2013, at 3:58 PM, Jonas Björklund  wrote:

> Hello,
> 
> We got often abuse reports on hosts that has been involved in DDOS attacks.
> We contact the owner of the host help them fix the problem.
> 
> I also would like to start send these abuse report to the ISP of the source.
> 
> Are there any avaliable tools for this? Is there any plugin for nfsen?
> 
> Do I need to write my own scripts for this?
> 
> /Jonas

  You could send the info to DSHIELD.  Then they might notify the ISP if you 
enabled “Fightback”.

http://dshield.org/howto.html

http://dshield.org/fightback.html

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: Automatic abuse reports

[Sam Moats]

There are good guys out there :-), and some are gorilla sized thats why 
I
obfuscated the names in my response. No offense intended to the goood 
ones.

Sam Moats

On 2013-11-13 05:48, Paul Bennett wrote:

I can't speak directly for them, as I'm not an official company
spokesperson, but this conversation has got my dander up enough that 
I

can't keep my big mouth shut.

I know of at least one 500 pound gorilla (with zillions of retail
customers, and their share of 500 pound gorillas as customers (and
everything in between)) that has a working and effective abuse@
address, one that can and does aggregate and pass on abuse 
complaints,

and that can and does suspend service over failure to fix. On
occasion, I understand even significant customers have been not just
suspended but terminated over failure to follow the ToS/AUP.

The company in question accepts abuse complaints in ARF, MARF, X-ARF
and IODEF format, among others, and (I cannot emphasize this enough)
does act on them.

Anyone who suggests roundfiling abuse@ complaints is (IMNSHO) 
actively

working to make the problem worse, not better. Anyone who thinks that
all networks do roundfile abuse@ complaints would seem to be making 
an

over-generalization.

Note, once again, that these are my opinions, and not my employers',
so much so that I can't even tell you directly who my employer is. 
Not

that it's hard to find out, but I'm so very much not speaking in an
official capacity here.


--
Paul

Re: Automatic abuse reports

[Paul Bennett]

I can't speak directly for them, as I'm not an official company
spokesperson, but this conversation has got my dander up enough that I
can't keep my big mouth shut.

I know of at least one 500 pound gorilla (with zillions of retail
customers, and their share of 500 pound gorillas as customers (and
everything in between)) that has a working and effective abuse@
address, one that can and does aggregate and pass on abuse complaints,
and that can and does suspend service over failure to fix. On
occasion, I understand even significant customers have been not just
suspended but terminated over failure to follow the ToS/AUP.

The company in question accepts abuse complaints in ARF, MARF, X-ARF
and IODEF format, among others, and (I cannot emphasize this enough)
does act on them.

Anyone who suggests roundfiling abuse@ complaints is (IMNSHO) actively
working to make the problem worse, not better. Anyone who thinks that
all networks do roundfile abuse@ complaints would seem to be making an
over-generalization.

Note, once again, that these are my opinions, and not my employers',
so much so that I can't even tell you directly who my employer is. Not
that it's hard to find out, but I'm so very much not speaking in an
official capacity here.


--
Paul

Re: Automatic abuse reports

[Sam Moats]

I expect this from the doofus in $pain_in_the_butt_county but I am 
surprised when I see this behavior
from large companies and I really don't understand it. Having a working 
abuse/response system is beneficial
to us all including the gorillas. There is a cost to us if we're 
spending expensive engineering time,
and network resources to deal with the traffic. Also there is an 
intangible affect on our customers opinion

of our service.

The only thing I can think of is that they are making the decisions 
about how important their abuse desk
is based solely on the cost of running that desk. They are seeing it as 
a cost center and not thinking
about it's long term benefit to the entire network. I can't think of a 
way to remove the incentive for this

short term thinking.

If I were the big cheese of the internet?
1. Transit providers would properly implement RFC 2827 filtering facing 
their downstream single homed customers.
If you only connect to me and I send you x.x.x.0/24 down your T1 I 
shouldn't be getting y.y.y.0 traffic from you.

This is easy to do.

2. Tier 1 backbone providers should be willing to de-peer non 
responsive global networks. I've lost faith in
regulations to actually curb the flow but the tier 1 providers may have 
the leverage to encourage good behavior.
For example if $pain_in_the_butt telco in $pain_in_the_butt country has 
to start paying for transit to get to
$big_tier_1 then maybe they would clean up their act. The problem with 
this is I can't think of a financial way

to get buy in to for idea from the business types in these companies.

3. There needs to be more responsible network citizenship among the 
providers large enough to have an AS number.
It's harder to do ingress filtering if your customers are running BGP, 
I can see reasonable cases where a
customer might throw traffic at me from source addresses that I didn't 
expect. At this point you should require your customers to
police their internal network and be willing to give up on their 
revenue if they refuse to do so.
Perhaps requiring a 24 hour human response to abuse@ emails as a 
condition of having an AS from an RIR or as a
requirement for turning up a BGP connection? We expect a good NOC for a 
peer but care less about a customer in most

cases.

4. Large eyeball networks would see the value in protecting their own 
people and would implement RFC2827 as close
to their customers as possible. As soon as you can drop that packet on 
the floor the better. The giant zombie

bot armies are a pain to them to.

Thats all I can think of at 4am, I bet you can see why nobody would 
ever appoint me big cheese of the internet.


Sam Moats


On 2013-11-13 00:57, Hal Murray wrote:

William Herrin  said:
That's the main problem: you can generate the report but if it's 
about

some doofus in Dubai what are the odds of it doing any good?


It's much worse than that.

Several 500 pound gorillas expect you to jump through various hoops
to report
abuse.  Have you tried reporting a drop box to Yahoo or Google 
lately?


On top of that, many outfits big enough to own a CIDR block are 
outsourcing
their mail to Google.  Google has a good spam filter.  It's good 
enough to

reject spam reports to abuse@

I wonder what would happen if RIRs required working abuse mailboxes.  
There
are two levels of "working".  The first is doesn't bounce or get 
rejected

with a sensible reason.  The second is actually gets acted upon.

If you were magically appointed big-shot in charge of everything, how 
long
would you let an ISP host a spammer's web site or DNS server or ...?  
What

about retail ISPs with zillions of zombied systems?

Re: Automatic abuse reports

[Hal Murray]

William Herrin  said:
> That's the main problem: you can generate the report but if it's about
> some doofus in Dubai what are the odds of it doing any good?

It's much worse than that.

Several 500 pound gorillas expect you to jump through various hoops to report 
abuse.  Have you tried reporting a drop box to Yahoo or Google lately?

On top of that, many outfits big enough to own a CIDR block are outsourcing 
their mail to Google.  Google has a good spam filter.  It's good enough to 
reject spam reports to abuse@

I wonder what would happen if RIRs required working abuse mailboxes.  There 
are two levels of "working".  The first is doesn't bounce or get rejected 
with a sensible reason.  The second is actually gets acted upon.

If you were magically appointed big-shot in charge of everything, how long 
would you let an ISP host a spammer's web site or DNS server or ...?  What 
about retail ISPs with zillions of zombied systems?


-- 
These are my opinions.  I hate spam.

Re: Automatic abuse reports

[joel jaeggli]

On Nov 12, 2013, at 9:16 PM, Brandon Galbraith  
wrote:

> On Tue, Nov 12, 2013 at 10:03 PM, William Herrin  wrote:
>>> Now it would be trivial to setup syslog and sshd to give only the sessions
>>> that complete the handshake, however I'm also not sure how responsive some
>>> of the abuse contacts may be. I'll keep my restrictive network settings for
>>> the time being.
>> 
>> That's the main problem: you can generate the report but if it's about
>> some doofus in Dubai what are the odds of it doing any good?
> 
> And then we're right back to sending the offending packets to a black
> hole. *sigh*
> 

a packet that you can drop quickly is a packet you don’t have to think about.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Automatic abuse reports

[Brandon Galbraith]

On Tue, Nov 12, 2013 at 10:03 PM, William Herrin  wrote:
>> Now it would be trivial to setup syslog and sshd to give only the sessions
>> that complete the handshake, however I'm also not sure how responsive some
>> of the abuse contacts may be. I'll keep my restrictive network settings for
>> the time being.
>
> That's the main problem: you can generate the report but if it's about
> some doofus in Dubai what are the odds of it doing any good?

And then we're right back to sending the offending packets to a black
hole. *sigh*

Re: Automatic abuse reports

[William Herrin]

On Tue, Nov 12, 2013 at 9:07 PM, Sam Moats  wrote:
> That said the original poster was
> focused on a DOS event,to do that you really don't need the full handshake.

Point. Though not all DDOSes are created equal. The simple packet
flood is, as likely as not, from forged addresses. But I've also seen
DDOSes which make repeated HTTP GET requests. That's tough to do
without control of the source address.


> Now it would be trivial to setup syslog and sshd to give only the sessions
> that complete the handshake, however I'm also not sure how responsive some
> of the abuse contacts may be. I'll keep my restrictive network settings for
> the time being.

That's the main problem: you can generate the report but if it's about
some doofus in Dubai what are the odds of it doing any good?

Regards,
Bill Herrin



-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Automatic abuse reports

[Sam Moats]

Your right they wouldn't get all of the way through. The three way 
handshake is great against blind spoofing attacks. That said the 
original poster was focused on a DOS event,to do that you really don't 
need the full handshake.


I'm not sure if the end goal of whomever we were dealing with was to 
DOS us or if was some screwed up half open syn scans, or my personnel 
guess it was to generate enough bogus log traffic to hide which 
connections were legitimate threats. Either way enough inbound SYN 
connections on port 22 would tip over the servers, this was LONG ago 
circa 97~99, so the traffic we saw was an effective DOS.


We had inetd calling ssh and also telnet (Change comes slowly and 
cyrpto was painful to implement for us at the time). In our setup inetd 
decided to log the sessions both ssh and telnet as soon as the daemon 
was called. So even if we didn't do the full session setup the machine 
would still log an event for each tcp session.


In hindsight we could have cleaned it up so that it wouldn't log before 
completing the handshake or tweaked the perl script to filter them out 
but I was a newbie at that point and placing ACLs in my border router to 
drop inbound ssh traffic that didn't come from netblocks I expected and 
moving off of the default port were the easiest solutions at the time.


Now it would be trivial to setup syslog and sshd to give only the 
sessions that complete the handshake, however I'm also not sure how 
responsive some of the abuse contacts may be. I'll keep my restrictive 
network settings for the time being.


Sam Moats


On 2013-11-12 20:43, William Herrin wrote:

On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats  wrote:
We used to use a small perl script called tattle that would parse 
out the
/var/log/secure on our *nix boxes, isolate the inbound ssh exploits, 
lookup
the proper abuse contacts and report them. I haven't seen anything 
similar

in years but it would be interesting to do more than null route IPs.

The problem we had with the automated reporting was dealing with 
spoofed
sources, we see lots of traffic that is obviously hostile but unless 
it

becomes serious enough to impact performance we rarely report it. An
automated system didn't seem to fit anymore due to false positives.


Hi Sam,

Out of curiosity -- how does one get a false positive on an ssh
exploit attempt? Does the origin IP not have to complete a 3-way
handshake before it can attempt an exploit?

Regards,
Bill Herrin

Re: Automatic abuse reports

[William Herrin]

On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats  wrote:
> We used to use a small perl script called tattle that would parse out the
> /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup
> the proper abuse contacts and report them. I haven't seen anything similar
> in years but it would be interesting to do more than null route IPs.
>
> The problem we had with the automated reporting was dealing with spoofed
> sources, we see lots of traffic that is obviously hostile but unless it
> becomes serious enough to impact performance we rarely report it. An
> automated system didn't seem to fit anymore due to false positives.

Hi Sam,

Out of curiosity -- how does one get a false positive on an ssh
exploit attempt? Does the origin IP not have to complete a 3-way
handshake before it can attempt an exploit?

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: Automatic abuse reports

[Randy Bush]

> I also would like to start send these abuse report to the ISP of the
> source.

good idea.  we all need more entries in our .procmailrcs

randy

Re: Automatic abuse reports

[Daniël W . Crompton]

On 12 November 2013 22:52, Sam Moats  wrote:

> We used to use a small perl script called tattle that would parse out the
> /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup
> the proper abuse contacts and report them. I haven't seen anything similar
> in years but it would be interesting to do more than null route IPs.


We also used to have a script which did something similar but for more than
just inbound ssh, for the most part this was ineffective.

D.


blaze your trail

-- 
Daniël W. Crompton 




http://specialbrands.net/

   

Re: Automatic abuse reports

[Jeroen Massar]

On 2013-11-12 16:58, Jonas Björklund wrote:
> Hello,
> 
> We got often abuse reports on hosts that has been involved in DDOS attacks.
> We contact the owner of the host help them fix the problem.
> 
> I also would like to start send these abuse report to the ISP of the
> source.
> 
> Are there any avaliable tools for this? Is there any plugin for nfsen?

Look at anything related to IODEF, specifically the CIF implementation:
 https://code.google.com/p/collective-intelligence-framework/

Greets,
 Jeroen

Re: Automatic abuse reports

[Sam Moats]

We used to use a small perl script called tattle that would parse out 
the /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, 
lookup the proper abuse contacts and report them. I haven't seen 
anything similar in years but it would be interesting to do more than 
null route IPs.


The problem we had with the automated reporting was dealing with 
spoofed sources, we see lots of traffic that is obviously hostile but 
unless it becomes serious enough to impact performance we rarely report 
it. An automated system didn't seem to fit anymore due to false 
positives.


A number of providers who aren't exactly interested in the overall good 
health of the net do a poor job of network ingress filtering that unless 
I closely examine the traffic and it's origins. Without being able to 
trust the source address information in the DDOS traffic I run the risk 
of crying wolf to a provider who is just as much a victim as I am. 
(Think of my ACK packets piling in his network in response to the bogus 
SYN packets I'm getting). So we reserve complaints for when there is an 
actual impact and try to keep the signal to noise ratio in our reports 
decent.


I'm not really happy with this approach and I'm open to ideas!

Thanks
Sam Moats

On 2013-11-12 16:58, Jonas Björklund wrote:

Hello,

We got often abuse reports on hosts that has been involved in DDOS 
attacks.

We contact the owner of the host help them fix the problem.

I also would like to start send these abuse report to the ISP of the 
source.


Are there any avaliable tools for this? Is there any plugin for 
nfsen?


Do I need to write my own scripts for this?

/Jonas

Automatic abuse reports

[Jonas Björklund]

Hello,

We got often abuse reports on hosts that has been involved in DDOS attacks.
We contact the owner of the host help them fix the problem.

I also would like to start send these abuse report to the ISP of the source.

Are there any avaliable tools for this? Is there any plugin for nfsen?

Do I need to write my own scripts for this?

/Jonas