[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Abuse Desks

It is rather easy to block SSH cracking attempts from your own side. Rarely
do they put any significant load on your network or computer.

I would sympathize with this except for the fact that abuse desks won't
even respond to DDoS attacks, something that can't be fixed on your own end
without spending a lot of money.

That needs to be fixed first before worrying about password cracking.

On Tue, Apr 28, 2020 at 8:58 AM Mike Hammett <nanog at ics-il.net> wrote:

> I noticed over the weekend that a Fail2Ban instance's complain function
> wasn't working. I fixed it. I've noticed a few things:
> 1) Abusix likes to return RIR abuse contact information. The vast majority
> are LACNIC, but it also has kicked back a couple for APNIC and ARIN. When I
> look up the compromised IP address in Abusix via the CLI, the APNIC and
> ARIN ones return both ISP contact information and RIR information. When I
> look them up on the RIR's whois, it just shows the ISP abuse information.
> Weird, but so rare it's probably just an anomaly. However, almost
> everything I see in LACNIC's region is returned with only the LACNIC abuse
> information when the ones I've checked on LACNIC's whois list valid abuse
> information for that prefix. Can anyone confirm they've seen similar
> behavior out of Abusix? I reached out to them, but haven't heard back.
> 2) Digital Ocean hits my radar far more than any other entity.
> 3) Azure shows up a lot less than GCP or AWS, which are about similar to
> each other.
> 4) Around 5% respond saying it's been addressed (or why it's not in the
> event of security researchers) within a couple hours. The rest I don't
> know. I've had a mix of small and large entities in that response.
> 5) HostGator seems to have an autoresponder (due to a 1 minute response)
> that just indicates that you sent nothing actionable, despite the report
> including the relevant log file entries.
> 6) Charter seems to have someone actually looking at it as it took them 16
> - 17 hours to respond, but they say they don't have enough information to
> act on, requesting relevant log file entries...  which were provided in the
> initial report and are even included in their response. They request
> relevant log file entries with the date, time, timezone, etc. all in the
> body in plain text, which was delivered.
> 7) The LACNIC region has about 1/3 of my reports.
> Do these mirror others' observations with security issues and how abuse
> desks respond?
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> Midwest-IX
> http://www.midwest-ix.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200429/9ce061be/attachment.html>