This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] central whois
- Previous message (by thread): [anti-abuse-wg] central whois
- Next message (by thread): [anti-abuse-wg] central whois
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Frank Gadegast
ripe-anti-spam-wg at powerweb.de
Sat Jun 29 14:25:32 CEST 2013
Benedikt Stockebrand wrote: > Frank Gadegast <ripe-anti-spam-wg at powerweb.de> writes: > >> Dont get the point here. > > Obviously you don't. > >> If you get attacked with a whatever flood, you see the sender IP. > > You see the IP that the sender has configured. To spell it out just for Did you ever configured Netflow in your backbone ? and have backbone partners that also have Netflow ? You can then easily follow where its really coming from. > you: If someone configures a box to use the address 62.67.229.200 and > then flood pings some poor soul using that address as source, who will > then get all the abuse mails you want people to force to read? Hint: > > $ dig +noall +answer www.powerweb.de any > www.powerweb.de. 500 IN MX 200 mail.berlin3.powerweb.de. > www.powerweb.de. 500 IN MX 100 mail.powerweb.de. > www.powerweb.de. 500 IN A 62.67.229.200 > > Now do that with an entire botnet and see what happens. You can with ping or other packets, when you actually do not want any packet to return to you, but with spam ? Hacking ? TCP-flodding, password-harvesting ? No way, this is two-way, they need to expose the originating IP. And Anti-DDoS-Protection is then quite easy. > Or do you have > any plans you didn't share yet on how to prevent attackers from using > this for a new kind of Joe job? admins allowing ICMP to float into their backbone are, aeh, stupid. >>> Your entire chain of reasoning relies on the fact that whatever IP >>> address from an attacker your end users find in their logs identifies >>> the abuse-c to contact. >> >> Sure, end user arent normally able to find the IP, but there >> are already tools and plugins to do this. > > So, more mails to abuse at powerweb.de. Not at all. Your getting personal here, so a personal answer. There is no spam leaving our address space and nearly no other abuse problems (maybe a badly administered webspace gets hacked once or twice a year, but then Im really happy about every report I do get to find more details, but we usally find and repair these kind of problems BEFORE any report or complaint is reaching us). So: clean network, no work. Because you got personal, here a little homework: try and find any of our IP addresses on a blacklist ... BTW: checked (probably one of some) /28, that your using and found 3 IPs on only one blacklist nobody is really using, you shouldnt get too many mails for that (probably because your arent the abuse-contact for that block yourself, but your ISP is :o). And suprise, suprise, no spam ever reached us from your ISPs networks, impressive. They shouldnt get so many complaints either ... > Which of course, since you want to > force other people to read their abuse-c mail address, you will all read > yourself. Sure, I like that, and its not too much for me to read about 10 mails a year, and even reply to those 5 that think the abuse was coming from us, explaining them that it wasnt and why it wasnt. > And if that's not enough to keep you busy: Maybe somebody with basic > scripting skills takes your approach even a bit further and links > his/her packet filter to script that stuffs every such packet in a mail > to the "responsible" abuse-c. Happy reading. Happy filtering ... >> And I still think that a central whois makes it easy to find >> the right contact, for end users, semi-professionals and pros ... > > And the "right contact" is whoever holds the IP address used as source > for some sort of attack or whatever. This is so immensely clever I'm > absolutely speechless. How often does that really happen, aeh ? Compared to all those bots where precise reports get send to the right person, but who simply do nothing and then complain about "so many reports". Again, clean, close and protect your network, educated your customers, clean your hacked homepages, kill the bots together with your customers and your done. You will not get a lot to read anymore ... Kind regards, Frank
- Previous message (by thread): [anti-abuse-wg] central whois
- Next message (by thread): [anti-abuse-wg] central whois
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]