.

Abuse proceed?

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Apr 16, 2009 6:14 am

Abuse proceed?

Hi All,

I was looking for a bit of advice regarding abuse reports:

How regularly do you/should you contact third parties to inform them of suspicious/malicious activity coming from one of their machines?
And where do you draw the line between 'noise' and abuse?

We've got various IDSs, honeypots etc. in place that are continuingly capturing many events sourced from the outside world. Contacting everyone individually/manually is resources we don't have available and automating it seems like a good way to annoy other over-worked admins and get your reports ignored.

How do you handle the same issue?

Cheers
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Thu Apr 16, 2009 6:24 am

Re: Abuse proceed?

I know that it can be tough, but I tend to use the classic 3 strike rule.

Ignore the first time unless its blatantly clear that someone was trying to hack you. Second time put its on the radar and third time inform the party.

Off course this requires good log management and correlation stuff but if you are not having that in place .. then I guess you are really not sure whats is in or getting in your network.

Hope this helps

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Apr 16, 2009 10:10 am

Re: Abuse proceed?

Thanks for the response VJ,

I had a feeling that it would be something similar to that when I could come up with any hard or fast rules. Looks like it's back to gut instinct.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Apr 16, 2009 8:49 pm

Re: Abuse proceed?

I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn't care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Apr 16, 2009 9:04 pm

Re: Abuse proceed?

I think that the answer is to hack them back  ;D
~~~~~~~~~~~~~~
Ketchup
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Apr 17, 2009 3:02 am

Re: Abuse proceed?

Ketchup wrote:I think that the answer is to hack them back  ;D

hadn't thought of that, where'd I leave db_autopwn?..... ;)

timmedin wrote:I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn't care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.

The optimist in me wants to think you're wrong, the pessimist thinks you've just hit the nail on the head.

Cheers guys.
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Wed Apr 22, 2009 7:31 am

Re: Abuse proceed?

RoleReversal wrote:
Ketchup wrote:I think that the answer is to hack them back  ;D

hadn't thought of that, where'd I leave db_autopwn?..... ;)

timmedin wrote:I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn't care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.

The optimist in me wants to think you're wrong, the pessimist thinks you've just hit the nail on the head.

Cheers guys.


Sadly, I have had this problem myself, proof of abuse, logs and even emails with IP Addresses recorded and they always tracked back to the same ISP. I sent two emails of complaint to the ISP at various email addresses and never even got a reply!
All men by nature desire knowledge.

Aristotle
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 22, 2009 8:52 am

Re: Abuse proceed?

The following article suggests contacting the upstream ISP and possible CERT if contacting the directly involved ISP fails.  All of these small ISPs should have an upstream provider. 

http://www.security-forums.com/viewtopic.php?t=2943
~~~~~~~~~~~~~~
Ketchup
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Apr 22, 2009 9:53 am

Re: Abuse proceed?

Great suggestion.
CISSP, MCSE, CSTA, Security+ SME
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Apr 23, 2009 3:04 am

Re: Abuse proceed?

Great article Ketchup,

thanks for sharing :D

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software