Re: What to do with attackers?

To: debian-user@lists.debian.org
Subject: Re: What to do with attackers?
From: Gnu-Raiz <Gnu-Raiz@midsouth.rr.com>
Date: Sat, 5 Nov 2005 10:23:25 -0600
Message-id: <[🔎] 20051105162325.GA5847@midsouth.rr.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20051105030018.GD17635@khazad-dum.debian.net>
References: <[🔎] 20051105030018.GD17635@khazad-dum.debian.net>

On 01:00, Sat 05 Nov 05, Henrique de Moraes Holschuh wrote:
> On Fri, 04 Nov 2005, Thomas wrote:
> > recently, i can see ofthen brute force attacks in my ssh logfile.
> > A friend of mine, who has the same ISP gets the same bruteforce attacks.
> > 
> > What would be an adequate reaction to repeated ssh bruteforce attacks?
> 
> Once I tried to do something about it, just because I had nothing better to
> do.
> 
> I used whois, found the abuse contact of the relevant domain owners and
> their upstream providers, and emailed them the logs, requesting that they
> inspect why a machine of theirs was trying to attack one of mine.
> 
> Out of the three reports I sent:
> 
>   One was replied to in 5 minutes(!), the attacker had been immediately
>   unplugged, and the machine would be investigated.
> 
>   One was replied to within 3 hours, the attack was being investigated
>   (and I wasn't being proped by them anymore, so I suppose they took it
>   offline as well).
> 
>   One was replied to within 1 day, the server had been reinstalled from
>   scratch and they thanked me about the report.
> 
> So I got proper replies for 100% of the reports I sent, and three zoombies
> were put to rest.   It is something nice to do if you feel bored.
> 
> -- 
>   "One disk to rule them all, One disk to find them. One disk to bring
>   them all and in the darkness grind them. In the Land of Redmond
>   where the shadows lie." -- The Silicon Valley Tarot
>   Henrique Holschuh

My experience is the opposite I use to do whois and search
down the ip address mail the abuse reports, taken straight
from my logs. Most email address listed are of the type of
abuse@suchandsuch most have automatic replys.  Yes you get a
reply, but after that its anyone's guess. 

Then you have to account for the zombie machines, maybe you
do get a good reply, and a decent ip whois lookup. But then
grandma is upset her internet account is blocked because she
did not have the proper setup.

Then you need to account for accurate information on the
lookup sheet, people lie, or put down bogus information, or
its over a year old and the abuse, or techinical dude has
quit or been moved and the information is not their.

To me a whois search right now is about worthless, just too
many dang variables that can be changed to hide someone's
intent.

I think the ISP should take more control, after all why
should I get port scanned with all the 1026-1027 spam that
is almost all I get now.  I think the end user is the wrong
place to have to run spam filters, robust rules just to keep
a sane personal network running.

People like me rely on the ISP for their dhcp ip address, so
why would a ISP allow their routers to forward port scans to
their own ip address net blocks?

Gnu_Raiz

Reply to:

Follow-Ups:
- Re: What to do with attackers?
  - From: Steve Lamb <grey@dmiyu.org>

References:
- Re: What to do with attackers?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: thunderbird and mail from the system
Next by Date: Re: creating symlinks in /proc
Previous by thread: Re: What to do with attackers?
Next by thread: Re: What to do with attackers?
Index(es):
- Date
- Thread