This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Adding a "Security Information" contact?
- Previous message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
- Next message (by thread): [anti-abuse-wg] Reclamation of Number Resources
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alessandro Vesely
vesely at tana.it
Wed Jul 6 12:30:49 CEST 2022
Hi Max, thank you for your reply and explanations. Some more comments/ questions inline: On Sun 03/Jul/2022 23:25:28 +0200 Max Grobecker wrote: > Am 20.06.22 um 18:04 schrieb Alessandro Vesely: > >>> Our abuse mailbox is not overflowing with these, of course, but it >>> makes semi-automated handling a bit painful. For example, we would >>> like to forward these information to our customers, but we wont >>> need to take further action on this, because we refuse to break >>> into the offices of our customers at night and patch their software. >> sorry to bother, but I hardly got that. Are these IP-driven >> messages? Don't CERTs lookup the abuse address with RDAP or WHOIS? > > The reports we get from CERT-BUND are highly IP focused. I cited one > of these report as an example at the end of this mail. > In general, I think these organizations we get mail from are > downloading the database from RIPE and are using an offline version. It is very expensive. Do you think they only do European IPs, or do they have specialized procedures for each RIR? Perhaps RIPE provides for maintaining remote copies of the database, but a caching RDAP tool would be more standard compliant. >> Why doesn't the abuse address point (in)directly to the relevant IP >> user? That is, what's wrong in automatically forwarding CERT's >> security notices? I cannot understand how doing so entailS >> obligations to reach the customer's premises at night. > > If I point the abuse address directly to an address controlled by the > customer, I don't get any notices - regardless of security information > or real abuse. > And I'm interested in the latter one, as I want to stop the abuse, of > course ;-) > Therefore all abuse reports are handled by our internal system to be > automatically escalated to the appropriate internal and external > contacts. What I'd be curious to know is whether automatic escalation is based on per-customer abuse addresses or on parsing message contents looking for IPs. Per-customer address is something like asn65535 at bc.grobecker.info or ip192.0.2.8/29 at sc.grobecker.info, which can be forwarded to the relevant (big or small) customer without actually opening the messages, but still maintaining a copy of them. Doing so requires more work for maintaining the database, but less work for forwarding messages. > But for notices like "Oh, we think there might be a vulnerable service > reachable on that IP" we don't want that whole escalation thing. > Also, most of these notices contain a list of addresses, but > sometimes, these lists are not stable parseable because there seems to > be no standardized format. > Reports we receive from CERT-BUND come with a CSV file which we are > able to parse - but in the last months there came several new other > services with their own data formats and I suspect, there will come more. And the CSVs refer to multiple customers? > If I could "route" these reports directly to the customer, this would > improve reporting speed and keep these away from our regular abuse > desk with escalations and all that stuff. I understand you don't want your abuse desk to get involved in checking whether, for example, an open DNS does in fact amplify queries if it is open. Is that the difference between forward and escalate? Using a different field entails the extra burden to educate organizations like CERT-BUND to use the appropriate reporting address based on the kind of report. For RDAP, those addresses could be tagged as less preferred. Some RIRs do so, leaving the actual meaning a bit obscure, though. Alternatively, RFC 7483 provides for a "notifications" role, which in theory applies to an associated object. Best Ale --
- Previous message (by thread): [anti-abuse-wg] Adding a "Security Information" contact?
- Next message (by thread): [anti-abuse-wg] Reclamation of Number Resources
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]