[anti-abuse-wg] central whois

Benedikt Stockebrand wrote:
> Frank Gadegast <ripe-anti-spam-wg at powerweb.de> writes:
>
>> Dont get the point here.
>
> Obviously you don't.
>
>> If you get attacked with a whatever flood, you see the sender IP.
>
> You see the IP that the sender has configured.  To spell it out just for

Did you ever configured Netflow in your backbone ?
and have backbone partners that also have Netflow ?
You can then easily follow where its really coming from.

> you: If someone configures a box to use the address 62.67.229.200 and
> then flood pings some poor soul using that address as source, who will
> then get all the abuse mails you want people to force to read?  Hint:
>
>    $ dig +noall +answer www.powerweb.de any
>    www.powerweb.de.        500     IN      MX      200 mail.berlin3.powerweb.de.
>    www.powerweb.de.        500     IN      MX      100 mail.powerweb.de.
>    www.powerweb.de.        500     IN      A       62.67.229.200
>
> Now do that with an entire botnet and see what happens.

You can with ping or other packets, when you actually do not
want any packet to return to you, but with spam ?
Hacking ? TCP-flodding, password-harvesting ?
No way, this is two-way, they need to expose the originating IP.
And Anti-DDoS-Protection is then quite easy.

>  Or do you have
> any plans you didn't share yet on how to prevent attackers from using
> this for a new kind of Joe job?

admins allowing ICMP to float into their backbone are, aeh, stupid.

>>> Your entire chain of reasoning relies on the fact that whatever IP
>>> address from an attacker your end users find in their logs identifies
>>> the abuse-c to contact.
>>
>> Sure, end user arent normally able to find the IP, but there
>> are already tools and plugins to do this.
>
> So, more mails to abuse at powerweb.de.

Not at all.
Your getting personal here, so a personal answer.

There is no spam leaving our address space and nearly no other
abuse problems (maybe a badly administered webspace gets hacked
once or twice a year, but then Im really happy about every report
I do get to find more details, but we usally find and repair these kind
of problems BEFORE any report or complaint is reaching us).

So: clean network, no work.

Because you got personal, here a little homework:
try and find any of our IP addresses on a blacklist ...

BTW: checked (probably one of some) /28, that your using and found
3 IPs on only one blacklist nobody is really using, you shouldnt get
too many mails for that (probably because your arent the abuse-contact
for that block yourself, but your ISP is :o).

And suprise, suprise, no spam ever reached us from your ISPs
networks, impressive. They shouldnt get so many complaints either ...

>  Which of course, since you want to
> force other people to read their abuse-c mail address, you will all read
> yourself.

Sure, I like that, and its not too much for me to read about 10 mails
a year, and even reply to those 5 that think the abuse was coming
from us, explaining them that it wasnt and why it wasnt.

> And if that's not enough to keep you busy: Maybe somebody with basic
> scripting skills takes your approach even a bit further and links
> his/her packet filter to script that stuffs every such packet in a mail
> to the "responsible" abuse-c.  Happy reading.

Happy filtering ...

>> And I still think that a central whois makes it easy to find
>> the right contact, for end users, semi-professionals and pros ...
>
> And the "right contact" is whoever holds the IP address used as source
> for some sort of attack or whatever.  This is so immensely clever I'm
> absolutely speechless.

How often does that really happen, aeh ?
Compared to all those bots where precise reports get send to the right
person, but who simply do nothing and then complain about "so many
reports". Again, clean, close and protect your network, educated
your customers, clean your hacked homepages, kill the bots together
with your customers and your done.
You will not get a lot to read anymore ...


Kind regards, Frank