Is there really not already an RFC or BCP for a standard abuse reporting
format? Even if what constitutes abuse is up for debate, a formatting
standard would make processing and automation much easier.
-Matt
On Thu, Apr 30, 2020 at 9:18 AM Andrey Kostin wrote:
> Maybe there is a market
Yo Mike!
On Thu, 30 Apr 2020 07:10:19 -0500 (CDT)
Mike Hammett wrote:
> I don't think I've seen anything back from the biggest offender,
> Digital Ocean, other than auto-responders acknowledging the report.
I gave up on Digital Ocean. I blackhole all their nets. Eventually
I had to white
Maybe there is a market opportunity there? Develop reporting standard
(or use one that was posted here), then develop reporting, processing
and analytic tools, and then provide it as a service? Looks like a nice
use case how to utilise clouds ;)
Kind regards,
Andrey
Mike Hammett писал
I did not want to target anyone in particular, so I have responded to my
original e-mail. I have seen comments about the big guys just ignoring
everything. I have had a non-zero number of e-mails from each of Azure, GCP,
AWS, and Hetzner claiming that they have acted on my report. It isn't a
There have been a lot of philosophical tangents to the original request.
Are others seeing similar things?
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "Mike Hammett"
To: "North
-
From: "Hal Murray"
To: nanog@nanog.org
Cc: "Hal Murray"
Sent: Thursday, April 30, 2020 2:59:43 AM
Subject: Re: Abuse Desks
Mike Hammett said:
> IMO, the answer is balance.
> - Handful of SSH connection attempts against a server. Nobody got in,
> security ha
Mike Hammett said:
> IMO, the answer is balance.
> - Handful of SSH connection attempts against a server. Nobody got in,
> security hardening did it's job. I don't think that is worth reporting. -
> Constant brute force SSH attempts from a given source over an extended period
> of time, or a
On Wed, 29 Apr 2020 11:25:19 -0400, sro...@ronan-online.com said:
> Perhaps some organization of Network Operators should come up with an
> objective standard of what constitutes âabuseâ and a standard format for
> reporting it.
> If only there was such an organization.
A different
Good thing I care, but that's missing the point here - the volume of abuse
requests makes the entire abuse system
unworkable. Not for me so much, I can deal with the volume (a few obnoxious
individuals aside), but AWS/OVH/Hertzner
appear to have decided they cannot, and that means I can't
Jeff,
FTPS
The prosecution rests :)
-mel
On Apr 29, 2020, at 5:25 PM, Jeffrey Ollie wrote:
On Wed, Apr 29, 2020 at 10:43 AM Mel Beckman
mailto:m...@beckman.org>> wrote:
Is there any reason to have a root-enabled (or any) ssh server exposed to the
bare Internet? Any at all? Can you name
On Wed, Apr 29, 2020 at 4:19 PM Matt Corallo wrote:
> Now you can decide to pass judgement on the idea that someone may want to run
> a Tor exit node
Wait... You run a TOR exit node and you find it unreasonable that
folks would send you automated abuse complaints? In my dictionary
under
Ah, I'd pasted the following in a response to the mail you responded to:
~$ whois 208.68.4.129
Comment:---
Comment:208.68.4.128/28 and 208.68.7.128/28 provide privacy services
Comment:(incl running tor exit node(s)!)
Comment:Abuse reports will be
- On Apr 29, 2020, at 3:15 PM, mel m...@beckman.org wrote:
Hi Mel,
> A clever idea to be sure, but it seems open to abuse. What stops someone from
> forging a tcp syn from every /24 on the Internet, causing you to blackhole
> your
> access to everywhere?
Fair point, and I lied a bit. My
On April 29, 2020 at 07:35 na...@ics-il.net (Mike Hammett) wrote:
> "What is it, exactly, that you expect a provider to do with your report of a
> few failed SSH login attempts to stop the activity?... disconnect the
> customer."
>
> Yes.
What I've done in the past is tell the customer we
On Wed, Apr 29, 2020 at 3:36 PM Matt Corallo wrote:
> I do, in this case, have such a right, because I know exactly what is going
> on in my network,
Hi Matt,
If someone in your address space is knock-knocking on a stranger's ssh
ports (your example, not mine), you have some work to do
I don't think anyone in this thread meant to suggest that there is no reason to
be concerned about such scans, as you
point out they are occasionally compromised hosts and the like. The real
question here is what is the cost of sending
all that mail?
The abuse system as it exists today is
I do, in this case, have such a right, because I know exactly what is going on
in my network, and any non-automated
system (ie, a human who reads the one sentence in the whois comments) does as
well.
Of course, I'm not going to get up in arms about it because this isn't about me
(I just put
Sabri,
A clever idea to be sure, but it seems open to abuse. What stops someone from
forging a tcp syn from every /24 on the Internet, causing you to blackhole your
access to everywhere?
-mel
> On Apr 29, 2020, at 2:24 PM, Sabri Berisha wrote:
>
> - On Apr 29, 2020, at 9:08 AM,
- On Apr 29, 2020, at 9:08 AM, Stephen Satchell l...@satchell.net wrote:
Hi,
> That said, I use TCPWRAPPER to limit access to SSH to specific IP
> addresses. I process my LogWatch messages manually. I pull the fire
> alarm for showshoe probes, and excessive number of probes (over 30 in a
>
> On 4/28/20 11:57 AM, Mike Hammett wrote:
> > I noticed over the weekend that a Fail2Ban instance's complain function
> > wasn't working. I fixed it.
On the one hand, if you have programmed your computer to originate
email to lots of people without any review to consider the email's
accuracy or
On 2020-04-28 18:57, Mike Hammett wrote:
I noticed over the weekend that a Fail2Ban instance's complain
function wasn't working. I fixed it. I've noticed a few things:
1) Abusix likes to return RIR abuse contact information. The vast
majority are LACNIC, but it also has kicked back a couple for
The machines that are ssh probing are probably doing other stuff. Take the win
that you have been informed about a compromised machine and get it cleaned /
quarantined.
--
Mark Andrews
> On 30 Apr 2020, at 06:20, Bottiger wrote:
>
>
> It is rather easy to block SSH cracking attempts
It is rather easy to block SSH cracking attempts from your own side. Rarely
do they put any significant load on your network or computer.
I would sympathize with this except for the fact that abuse desks won't
even respond to DDoS attacks, something that can't be fixed on your own end
without
On 2020-04-29 17:51, Mukund Sivaraman wrote:
On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
What if I am at home, and while working on a project, fire off a wide
ranging nmap against say a /19 work network to validate something
externally? Should my ISP detect that and make a
Well, I think our disagreement is on what we constitute 'legitimate abuse'
to be.
On Wed, Apr 29, 2020 at 1:51 PM Mukund Sivaraman wrote:
> On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
> > What if I am at home, and while working on a project, fire off a wide
> > ranging nmap
On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
> What if I am at home, and while working on a project, fire off a wide
> ranging nmap against say a /19 work network to validate something
> externally? Should my ISP detect that and make a decision that I shouldn't
> be doing that,
What if I am at home, and while working on a project, fire off a wide
ranging nmap against say a /19 work network to validate something
externally? Should my ISP detect that and make a decision that I shouldn't
be doing that, even though it is completely legitimate and authorized
activity? What if
I think we all agree with this. The requl question is...how do we build such a
thing? The abuse process we have clearly
doesn't work. Maybe its the fault of the Big Providers (AWS/GCP/OVH/etc) who
don't invest enough to have a robust
abuse-processing system to actually deal with reports, maybe
-ix.com
- Original Message -
From: "Stephen Satchell"
To: nanog@nanog.org
Sent: Wednesday, April 29, 2020 12:35:20 PM
Subject: Re: Abuse Desks
On 4/29/20 9:57 AM, Mike Hammett wrote:
> My routers have ACLs, but my servers for the most part do not.
I'm not tr
On Wed, 2020-04-29 at 09:50 -0700, Stephen Satchell wrote:
>
> As I build up my new
> firewall, I'll turn off public SSH access completely, and instead use
> a
> robust VPN implementation. (Which has its own issues.)
How does that solve the problem at hand in any way?
The abuse/probing just
On 4/29/20 9:57 AM, Mike Hammett wrote:
My routers have ACLs, but my servers for the most part do not.
I'm not trying to argue, but...what servers do you have that don't have
sysadmin-definable firewalls and tun-able knobs? My edge routers are
Linux boxes (CentOS 8 for the one I'm now
On Wed, Apr 29, 2020 at 09:50:42AM -0700, Stephen Satchell wrote:
> On 4/29/20 9:24 AM, Mukund Sivaraman wrote:
> > If there's a lock on my door, and someone tries to pick it, you can call
> > me at fault for having a lock on my door facing outside all you
> > want. But the thief picking it has no
I obviously agree it *can* be an indication of a bigger issue, but it isn't
always. Lets take an example from one of my
(isolated netblocks):
~$ whois 208.68.4.129
Comment:---
Comment:208.68.4.128/28 and 208.68.7.128/28 provide privacy services
Comment:(incl
ose within such a desire to
do so.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "Stephen Satchell"
To: nanog@nanog.org
Sent: Wednesday, April 29, 2020 11:50:42 AM
Subject: Re: Abuse
On 4/29/20 9:24 AM, Mukund Sivaraman wrote:
If there's a lock on my door, and someone tries to pick it, you can call
me at fault for having a lock on my door facing outside all you
want. But the thief picking it has no business doing so, and will be
guilty of a crime if caught.
This is a good
On Wed, Apr 29, 2020 at 03:41:06PM +, Mel Beckman wrote:
> Joe,
>
> Is there any reason to have a root-enabled (or any) ssh server exposed
> to the bare Internet? Any at all? Can you name one? I can’t. That’s
> basically pilot error.
The last time (a couple of weeks ago) when I installed a
-
From: sro...@ronan-online.com
To: "NANOG"
Sent: Wednesday, April 29, 2020 10:25:19 AM
Subject: Re: Abuse Desks
Perhaps some organization of Network Operators should come up with an objective
standard of what constitutes “abuse” and a standard format for reporting it.
On 4/29/20 8:41 AM, Mel Beckman wrote:
Is there any reason to have a root-enabled (or any) ssh server
exposed to the bare Internet? Any at all? Can you name one? I can’t.
That’s basically pilot error.
Remember HeartBleed? That didn't require a rout-enabled SSH server. It
didn't require SSH
On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman said:
> > If an abuse report is incorrect, then it is fair to complain.
>
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
It is configurable. Anyway, I don't know how else
On Wed, Apr 29, 2020 at 03:41:06PM +, Mel Beckman wrote:
> Joe,
>
> Is there any reason to have a root-enabled (or any) ssh server
> exposed to the bare Internet? Any at all? Can you name one?
> I can???t. That???s basically pilot error.
Mel,
I think you're looking at it the wrong way.
In fact, SRonan, the real risk of such a standard is that people would use it
to send an increasingly massive flood of pointless abuse reports, which would
require deployment of an equally massive AI-based data analytics to cull the
flood, which would then be Skynet :)
-mel beckman
> On Apr
The standards are perfectly feasible.
That doesn't mean people will follow them, however it's much better to say
"I ignored your notification because it didn't follow the objective
standard" then it is to just say "I ignored your notification because I
felt like it"
On Wed, Apr 29, 2020, 11:37
Joe,
Is there any reason to have a root-enabled (or any) ssh server exposed to the
bare Internet? Any at all? Can you name one? I can’t. That’s basically pilot
error.
-mel
> On Apr 29, 2020, at 8:37 AM, Joe Greco wrote:
>
> On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
>>
SRonan,
If only such a standard were feasible :)
-mel beckman
> On Apr 29, 2020, at 8:25 AM, "sro...@ronan-online.com"
> wrote:
>
> Perhaps some organization of Network Operators should come up with an
> objective standard of what constitutes “abuse” and a standard format for
> reporting
On Wed, Apr 29, 2020 at 10:12:29AM -0500, Chris Adams wrote:
> Once upon a time, Mukund Sivaraman said:
> > If an abuse report is incorrect, then it is fair to complain.
>
> The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
>
> I've typoed IP/FQDN before and gotten an SSH
Perhaps some organization of Network Operators should come up with an objective
standard of what constitutes “abuse” and a standard format for reporting it.
If only there was such an organization.
Sent from my iPhone
> On Apr 29, 2020, at 11:14 AM, Chris Adams wrote:
>
> Once upon a time,
Once upon a time, Mukund Sivaraman said:
> If an abuse report is incorrect, then it is fair to complain.
The thing is: are 3 failed SSH logins from an IP legitimately "abuse"?
I've typoed IP/FQDN before and gotten an SSH response, and taken several
tries before I realized my error. Did I
IMO, the answer is balance.
- Handful of SSH connection attempts against a server. Nobody got in,
security hardening did it's job. I don't think that is worth reporting.
- Constant brute force SSH attempts from a given source over an extended
period of time, or a clear pattern of probing, yes,
;let's" make one? No one can follow it if it doesn't exist.
>
>
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> From: "Matt Palmer"
> To:
Rich,
It’s interesting that you mention “the lesson of the 75-cent accounting error”
from Cliff Stoll’s The Cuckoos Egg. Because the lesson from that account is
precisely that exerting a massive human-labor-intensive effort to trace every
tiny abuse signal is not worth the heavy cost — in this
make one? No one can follow it if it doesn't exist.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "Matt Palmer"
To: nanog@nanog.org
Sent: Wednesday, April 29, 2020 6:48:51
On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote:
> Please don't use this kind of crap to send automated "we received 3 login
> attempts on our SSH box..wa" emails.
> This is why folks don't have abuse contacts that are responsive to real
> issues anymore.
[ "you"
On Wed, Apr 29, 2020 at 12:24:01PM +0530, Mukund Sivaraman wrote:
> On Tue, Apr 28, 2020 at 11:40:16PM -0700, Matt Corallo wrote:
> > Sadly dumb kids are plentiful. If you have to nag an abuse desk every
> > time they sell a server to a kid who’s experimenting with nmap for the
> > first time
On Tue, 28 Apr 2020, Matt Corallo wrote:
Sadly dumb kids are plentiful. If you have to nag an abuse desk every
time they sell a server to a kid who’s experimenting with nmap for the
first time then we’ll end up exactly where we are - abuse contacts
are not a reliable way to get in touch
On Tue, Apr 28, 2020 at 11:40:16PM -0700, Matt Corallo wrote:
> Sadly dumb kids are plentiful. If you have to nag an abuse desk every
> time they sell a server to a kid who’s experimenting with nmap for the
> first time then we’ll end up exactly where we are - abuse contacts
> are not a
Sadly dumb kids are plentiful. If you have to nag an abuse desk every time they
sell a server to a kid who’s experimenting with nmap for the first time
then we’ll end up exactly where we are - abuse contacts are not a reliable
way to get in touch with anyone, and definitely not a reliable
Hi Matt
On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote:
> DDoS, hijacker, botnet C, compromised hosts,
> sufficiently-hard-to-deal-with phishing, etc are all things that carry
> real risk to services that are otherwise well-maintained (primarily in
> that many of the latter lead to
DDoS, hijacker, botnet C, compromised hosts, sufficiently-hard-to-deal-with
phishing, etc are all things that carry real risk to services that are
otherwise well-maintained (primarily in that many of the latter lead to the
former). Nothing wrong with using or monitoring fail2ban, but if you’re
On Tue, Apr 28, 2020 at 08:45:12PM -0700, Dan Hollis wrote:
> On Tue, 28 Apr 2020, Matt Corallo via NANOG wrote:
> > Please don't use this kind of crap to send automated "we received 3 login
> > attempts on our SSH box..wa" emails.
> > This is why folks don't have abuse contacts that are
On Tue, 28 Apr 2020, Matt Corallo via NANOG wrote:
Please don't use this kind of crap to send automated "we received 3 login attempts
on our SSH box..wa" emails.
This is why folks don't have abuse contacts that are responsive to real issues
anymore.
Thats what SBL is for.
-Dan
Please don't use this kind of crap to send automated "we received 3 login
attempts on our SSH box..wa" emails.
This is why folks don't have abuse contacts that are responsive to real issues
anymore.
Matt
On 4/28/20 11:57 AM, Mike Hammett wrote:
> I noticed over the weekend that a
61 matches
Mail list logo
