Abuse proceed?

Viewing 9 reply threads
  • Author
    Posts
    • #3696
      RoleReversal
      Participant

      Hi All,

      I was looking for a bit of advice regarding abuse reports:

      How regularly do you/should you contact third parties to inform them of suspicious/malicious activity coming from one of their machines?
      And where do you draw the line between ‘noise’ and abuse?

      We’ve got various IDSs, honeypots etc. in place that are continuingly capturing many events sourced from the outside world. Contacting everyone individually/manually is resources we don’t have available and automating it seems like a good way to annoy other over-worked admins and get your reports ignored.

      How do you handle the same issue?

      Cheers

    • #23764
      vijay2
      Participant

      I know that it can be tough, but I tend to use the classic 3 strike rule.

      Ignore the first time unless its blatantly clear that someone was trying to hack you. Second time put its on the radar and third time inform the party.

      Off course this requires good log management and correlation stuff but if you are not having that in place .. then I guess you are really not sure whats is in or getting in your network.

      Hope this helps

      VJ

    • #23765
      RoleReversal
      Participant

      Thanks for the response VJ,

      I had a feeling that it would be something similar to that when I could come up with any hard or fast rules. Looks like it’s back to gut instinct.

    • #23766
      timmedin
      Participant

      I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn’t care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.

    • #23767
      Ketchup
      Participant

      I think that the answer is to hack them back  ;D

    • #23768
      RoleReversal
      Participant

      @Ketchup wrote:

      I think that the answer is to hack them back  ;D

      hadn’t thought of that, where’d I leave db_autopwn?….. 😉

      @timmedin wrote:

      I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn’t care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.

      The optimist in me wants to think you’re wrong, the pessimist thinks you’ve just hit the nail on the head.

      Cheers guys.

    • #23769
      Data_Raid
      Participant

      @RoleReversal wrote:

      @Ketchup wrote:

      I think that the answer is to hack them back  ;D

      hadn’t thought of that, where’d I leave db_autopwn?….. 😉

      @timmedin wrote:

      I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn’t care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.

      The optimist in me wants to think you’re wrong, the pessimist thinks you’ve just hit the nail on the head.

      Cheers guys.

      Sadly, I have had this problem myself, proof of abuse, logs and even emails with IP Addresses recorded and they always tracked back to the same ISP. I sent two emails of complaint to the ISP at various email addresses and never even got a reply!

    • #23770
      Ketchup
      Participant

      The following article suggests contacting the upstream ISP and possible CERT if contacting the directly involved ISP fails.  All of these small ISPs should have an upstream provider. 

      http://www.security-forums.com/viewtopic.php?t=2943

    • #23771
      Don Donzal
      Keymaster

      Great suggestion.

    • #23772
      RoleReversal
      Participant

      Great article Ketchup,

      thanks for sharing 😀

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?