Hi Alessandro, Am 20.06.22 um 18:04 schrieb Alessandro Vesely:
Our abuse mailbox is not overflowing with these, of course, but it makes semi-automated handling a bit painful. For example, we would like to forward these information to our customers, but we wont need to take further action on this, because we refuse to break into the offices of our customers at night and patch their software. sorry to bother, but I hardly got that. Are these IP-driven messages? Don't CERTs lookup the abuse address with RDAP or WHOIS?
The reports we get from CERT-BUND are highly IP focused. I cited one of these report as an example at the end of this mail. In general, I think these organizations we get mail from are downloading the database from RIPE and are using an offline version.
Why doesn't the abuse address point (in)directly to the relevant IP user? That is, what's wrong in automatically forwarding CERT's security notices? I cannot understand how doing so entailS obligations to reach the customer's premises at night.
If I point the abuse address directly to an address controlled by the customer, I don't get any notices - regardless of security information or real abuse. And I'm interested in the latter one, as I want to stop the abuse, of course ;-) Therefore all abuse reports are handled by our internal system to be automatically escalated to the appropriate internal and external contacts. But for notices like "Oh, we think there might be a vulnerable service reachable on that IP" we don't want that whole escalation thing. Also, most of these notices contain a list of addresses, but sometimes, these lists are not stable parseable because there seems to be no standardized format. Reports we receive from CERT-BUND come with a CSV file which we are able to parse - but in the last months there came several new other services with their own data formats and I suspect, there will come more. If I could "route" these reports directly to the customer, this would improve reporting speed and keep these away from our regular abuse desk with escalations and all that stuff. This is one of the mails we more or less regularily get from CERT-BUND, reporting open DNS resolvers: ------------------------------------------------------------------------------- Dear Sir or Madam, open DNS resolvers are abused for conducting DDoS reflection/ amplification attacks against third parties on a daily basis. Please find attached a list of open DNS resolvers hosted on your network which can be abused for DDoS reflection/amplification attacks if no countermeasures have been implemented. The timestamp indicates when the open resolver was identified. We would like to ask you to check if the open resolvers identified on your network are intentionally configured as such and appropriate countermeasures preventing their abuse for DDoS attacks have been implemented. If you have recently solved the issue but received this notification again, please note the timestamp included below. You should not receive any further notifications with timestamps after the issue has been solved. Additional information on this notification, advice on how to fix reported issues and answers to frequently asked questions: <https://reports.cert-bund.de/en/> This message is digitally signed using PGP. Information on the signature key is available at: <https://reports.cert-bund.de/en/digital-signature> Please note: This is an automatically generated message. Replies to the sender address <reports@reports.cert-bund.de> will NOT be read but silently be discarded. In case of questions, please contact <certbund@bsi.bund.de> and keep the ticket number [CB-Report#...] of this message in the subject line. !! Please make sure to consult our HOWTOs and FAQ available at !! <https://reports.cert-bund.de/en/> first. Mit freundlichen Grüßen / Kind regards Team CERT-Bund Bundesamt für Sicherheit in der Informationstechnik Federal Office for Information Security (BSI) Referat OC22 - CERT-Bund Godesberger Allee 185-189, 53175 Bonn, Germany ------------------------------------------------------------------------------- And this is the CSV file, IP addresses and ASN replaced with dummy values: ------------------------------------------------------------------------------- "asn","ip","timestamp" "65535","192.0.2.1","2022-07-02 00:17:09" "65535","203.0.113.5","2022-07-02 00:36:42" "65535","198.51.100.26","2022-07-02 00:49:26" ------------------------------------------------------------------------------- Greetings, Max