On Sun Sep 18, 2016 at 05:17:33PM +0200, Florian Weimer wrote:
> Okay, then perhaps my guess of the ISP involved is wrong.
It's not hard to find out who I work for :)
> Out of curiosity, how common is end-to-end reporting of
> source/destination port information (in addition to source IP
> addresses and destination IP addresses)? Have the anti-abuse
> mechanisms finalyl caught on with CGNAT, or is it possible that the
> PSN operator themselves do not have such detailed data?
99.99% of abuse reports we receive contain the information, but that's because
99.99% of abuse reports we receive are from the 'copyright police', and their
tools capture and include it in the reports.
Once you discard that 99.99%, and are left with the stuff that is worthy of
manual investigation, I'd say that almost all of it only contains timestamp and
source IP. Sometimes it'll also contain destination IP (so we can take a best
guess based on netflow data), and very occasionally it'll also contain source
I'd say the same also applies to requests for information that we receive from
law enforcement agencies. In most cases, they're working from weblogs, and I'd
be tempted to say that most webservers' 'out of the box' configuration does not
log source port, only source IP in the web access logs.