Hopefully you've read the kick-off (http://isc.sans.edu/diary.html?storyid=9637) and have looked at bit at your logs. Perhaps you've worked out what the cost of slammer is to your network on the back of a npkin. In most instances it probabably would cover the price of your lunch, or it's enough to justify the small amount of time this exercise will cost you. Create a simple spreadsheet listing the IP addresses that have been hitting your perimeter. You'll want to track who the abuse contacts for that network are, when you send your notice, and what kind of response that you get (we'll add more columns later this week.) Next you'll be running a few WHOIS requests. Everyone has a favorite way to do this (send in your comments on what you think is the easiest way pull abuse contact information.) Depending on your resources, you may have time to tackle all of them, others may only have time to do handle 25 or so. Everyone should try at least ten, if only to get a good sample of the different types of response that you get from your first efforts. Just remember that there are a lot of people doing this along with you this month. When you compose your first message I want you to keep a few things in mind:
Feel free to cite these diary entries or use us as a reference. Tom Liston has other (humorous) tips on how to make an abuse report here: http://isc.sans.edu/diary.html?storyid=9325 Take a few minutes to reach out. Statistically-speaking, you're most likely to get no response or an error message (we'll cover how to proceed in those cases later,) so don't be daunted or give up because of that. -KL |
Kevin Liston 292 Posts ISC Handler Oct 4th 2010 |
Thread locked Subscribe |
Oct 4th 2010 1 decade ago |
Re: whois &c; I like robtex (www.robtex.com/) for digging into all sorts of details of an IP or of a domain. Use it a lot since the !@#^ security guys have straight whois blocked.
|
Hal 50 Posts |
Quote |
Oct 4th 2010 1 decade ago |
At the moment I am a fan of abusix.org (goto: "what we do"). Very nice scriptable.
And: I am a fan of "nfsen". Still working on my script/blog. |
Jens 42 Posts |
Quote |
Oct 4th 2010 1 decade ago |
abusix.org looks like it will be a very useful service when it comes out of beta, however at the moment the data appears to be somewhat stale.
Just this morning I was reporting Slammer activity from 78.100.65.132, and "whois 78.100.65.132" reports different (and presumably fresher and more accurate) results than "dig +short txt 132.65.100.78.abuse-contacts.abusix.org" does. That said, I sincerely hope abusix.org irons out all the warts - for automated abuse reporting I would _much_ rather do a DNS TXT query than doing a whois lookup and parsing the results. My current TCP tarpit report: 23/tcp: 1 host(s), 1 connection(s) 1 123.212.190.100 1080/tcp: 1 host(s), 1 connection(s) 1 220.64.140.230 1433/tcp (MSSQL): 3 host(s), 1269 connection(s) 32 78.100.65.132 218 80.36.138.80 1019 201.242.106.199 2967/tcp: 1 host(s), 4 connection(s) 4 200.88.113.10 3389/tcp: 3 host(s), 11 connection(s) 1 69.172.34.114 3 84.62.183.27 7 60.190.69.103 4899/tcp: 1 host(s), 1 connection(s) 1 95.14.182.164 5900/tcp: 1 host(s), 1 connection(s) 1 208.109.91.114 8080/tcp (PHP scans): 1 host(s), 1 connection(s) 1 58.215.78.201 8081/tcp (referrer spam): 1 host(s), 8 connection(s) 8 174.37.65.204 |
John Hardin 62 Posts |
Quote |
Oct 29th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!