Title: Abuse proceed?
Post by: Andrew Waite on April 16, 2009, 06:14:28 AM

Hi All,

I was looking for a bit of advice regarding abuse reports:

How regularly do you/should you contact third parties to inform them of suspicious/malicious activity coming from one of their machines?
And where do you draw the line between 'noise' and abuse?

We've got various IDSs, honeypots etc. in place that are continuingly capturing many events sourced from the outside world. Contacting everyone individually/manually is resources we don't have available and automating it seems like a good way to annoy other over-worked admins and get your reports ignored.

How do you handle the same issue?

Cheers

Title: Re: Abuse proceed?
Post by: vijay2 on April 16, 2009, 06:24:19 AM

I know that it can be tough, but I tend to use the classic 3 strike rule.

Ignore the first time unless its blatantly clear that someone was trying to hack you. Second time put its on the radar and third time inform the party.

Off course this requires good log management and correlation stuff but if you are not having that in place .. then I guess you are really not sure whats is in or getting in your network.

Hope this helps

VJ

Title: Re: Abuse proceed?
Post by: Andrew Waite on April 16, 2009, 10:10:00 AM

Thanks for the response VJ,

I had a feeling that it would be something similar to that when I could come up with any hard or fast rules. Looks like it's back to gut instinct.

Title: Re: Abuse proceed?
Post by: timmedin on April 16, 2009, 08:49:07 PM

I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn't care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.

Title: Re: Abuse proceed?
Post by: Ketchup on April 16, 2009, 09:04:27 PM

I think that the answer is to hack them back ;D

Title: Re: Abuse proceed?
Post by: Andrew Waite on April 17, 2009, 03:02:09 AM

Quote from: Ketchup on April 16, 2009, 09:04:27 PM

I think that the answer is to hack them back ;D

hadn't thought of that, where'd I leave db_autopwn?..... ;)

Quote from: timmedin on April 16, 2009, 08:49:07 PM

The optimist in me wants to think you're wrong, the pessimist thinks you've just hit the nail on the head.

Cheers guys.

Title: Re: Abuse proceed?
Post by: Data_Raid on April 22, 2009, 07:31:17 AM

Quote from: RoleReversal on April 17, 2009, 03:02:09 AM

Quote from: Ketchup on April 16, 2009, 09:04:27 PM

I think that the answer is to hack them back ;D

hadn't thought of that, where'd I leave db_autopwn?..... ;)

Quote from: timmedin on April 16, 2009, 08:49:07 PM

The optimist in me wants to think you're wrong, the pessimist thinks you've just hit the nail on the head.

Cheers guys.

Sadly, I have had this problem myself, proof of abuse, logs and even emails with IP Addresses recorded and they always tracked back to the same ISP. I sent two emails of complaint to the ISP at various email addresses and never even got a reply!

Title: Re: Abuse proceed?
Post by: Ketchup on April 22, 2009, 08:52:31 AM

The following article suggests contacting the upstream ISP and possible CERT if contacting the directly involved ISP fails. All of these small ISPs should have an upstream provider.

http://www.security-forums.com/viewtopic.php?t=2943 (http://www.security-forums.com/viewtopic.php?t=2943)

Title: Re: Abuse proceed?
Post by: don on April 22, 2009, 09:53:18 AM

Great suggestion.

Title: Re: Abuse proceed?
Post by: Andrew Waite on April 23, 2009, 03:04:02 AM

Great article Ketchup,

thanks for sharing :D

EH-Net

Ethical Hacking Discussions and Related Certifications => Incident Response => Topic started by: Andrew Waite on April 16, 2009, 06:14:28 AM