I will rather prefer an IETF standard for abuse reporting ... already thought about starting it several times ... sooner or later I will write down something, so may be some other people interested to co-author? Regards, Jordi El 25/4/19 16:14, "anti-abuse-wg en nombre de ac" <anti-abuse-wg-bounces@ripe.net en nombre de ac@main.me> escribió: On Thu, 25 Apr 2019 14:06:39 +0200 JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: > Reading the article in a minute ! > However, as an information pointer I've some data ... > I've an VM with asterisk at home, and every day I've to ban (I use > fail2ban to do it automatically after 3 failed attempts from the same > IP), average about 20 IPs attempting to use my SIP service to my > provider. This turns into 100 per day in the office (average). > Of course, if they succeed, they can make "free" calls that I need to > pay from my pocket ... So, I report automatically those attempts > (once banned), including the logs, to the abuse contacts of the IP > holder. > Some of them just don't care, unfortunately, as many abuse contacts, > just don't work, or the mailboxes aren't being read, or they respond > that you must fill in a form. > Regards, > Jordi > this is something very worthy of discussion, listing services has always existed for dynamic blocks, email abuse, bad neighborhood etc etc - and these lists are reflected/delivered/offered as rbl, dnsbl, wrbl, text, sql, etc etc - imho, the latest trends are weird as the generic lists are becoming too generic and specific or specialisation is the "next big thingTM" - as in not unicorny big but tech useful (mostly free) big... As an example of this, an combined email rbl (which also contains certain dynamic ranges known for not filtering egress, would be completely (or mostly) useless for filtering IP on SIP (or even brute) and a comment form rbl would be well suited for iptables on a web server... My latest new and shiny big idea is: I have an idea and a plan to dev a dynamic ip use dnsl which will return a flag on query... The idea is that any device would receive a code when query a RR The result on query would be multi digit and reflect the known data for that resource (examples: User Dynamic/Static - Abuse Reported Y/N - Port of abuse (all(dul)/21/22/25/53/80/443/etc) - Resource holder responsive Y/N - etc etc etc The further idea is to have exchangeable data streams so that the query (as well as the IPv4/6 of the query) becomes a data provider and then the reporting can be automated (or not) depending on the resource holder itself... What do you think? Kind Regards Andre ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Thu, 25 Apr 2019 16:45:18 +0200 JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote:
I will rather prefer an IETF standard for abuse reporting ... already thought about starting it several times ... sooner or later I will write down something, so may be some other people interested to co-author? Regards, Jordi
I have been thinking around the same lines as then I can add the protocols in the initial PS to also include the resolver library use case i mentioned, - unless it gets kicked in the maturity track :) i kinda like the idea of using a dnsl in a two way for reporting as well, I think it is sliced bread good :) ietf/rfc/ps: you will recall that i already started talking about a definition of abuse a while ago (in this group, i think... - the idea then was the rfc route...) anyhoo, mail me off list when/if we do this :) Kind Regards Andre
El 25/4/19 16:14, "anti-abuse-wg en nombre de ac" <anti-abuse-wg-bounces@ripe.net en nombre de ac@main.me> escribió:
On Thu, 25 Apr 2019 14:06:39 +0200 JORDI PALET MARTINEZ via anti-abuse-wg <anti-abuse-wg@ripe.net> wrote: > Reading the article in a minute ! > However, as an information pointer I've some data ... > I've an VM with asterisk at home, and every day I've to ban (I > use fail2ban to do it automatically after 3 failed attempts > from the same IP), average about 20 IPs attempting to use my > SIP service to my provider. This turns into 100 per day in the > office (average). Of course, if they succeed, they can make > "free" calls that I need to pay from my pocket ... So, I report > automatically those attempts (once banned), including the logs, > to the abuse contacts of the IP holder. > Some of them just don't care, unfortunately, as many abuse > contacts, just don't work, or the mailboxes aren't being read, > or they respond that you must fill in a form. > Regards, > Jordi > this is something very worthy of discussion, listing services has always existed for dynamic blocks, email abuse, bad neighborhood etc etc - and these lists are reflected/delivered/offered as rbl, dnsbl, wrbl, text, sql, etc etc - imho, the latest trends are weird as the generic lists are becoming too generic and specific or specialisation is the "next big thingTM" - as in not unicorny big but tech useful (mostly free) big... As an example of this, an combined email rbl (which also contains certain dynamic ranges known for not filtering egress, would be completely (or mostly) useless for filtering IP on SIP (or even brute) and a comment form rbl would be well suited for iptables on a web server...
My latest new and shiny big idea is:
I have an idea and a plan to dev a dynamic ip use dnsl which will return a flag on query...
The idea is that any device would receive a code when query a RR
The result on query would be multi digit and reflect the known data for that resource (examples: User Dynamic/Static - Abuse Reported Y/N - Port of abuse (all(dul)/21/22/25/53/80/443/etc) - Resource holder responsive Y/N - etc etc etc
The further idea is to have exchangeable data streams so that the query (as well as the IPv4/6 of the query) becomes a data provider and then the reporting can be automated (or not) depending on the resource holder itself...
What do you think?
Kind Regards
Andre
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On 25-04-2019 16:45 +0200, JORDI PALET MARTINEZ wrote:
I will rather prefer an IETF standard for abuse reporting ... already thought about starting it several times ... sooner or later I will write down something, so may be some other people interested to co-author?
Regards, Jordi
Hello Jordi I would also be interested in having a standard for reporting abuses. There is X-ARF but it isn't able to encode certain information, such as multiple log entries for the same incident, or the only way to do so would be extremely verbose, to the point of being impractical if the recipient is not a bot. Best regards -- INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute https://www.incibe-cert.es/ PGP Keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ======================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ======================================================================== Disclaimer: This message may contain confidential information, within the framework of the corporate Security Management System.If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law. ========================================================================
Hi all, To avoid unnecessary noise in the list, I think we should handle this in pvt. At the moment, I've got emails from Andre, Angel and Jan about this. I will try to work during this weekend in investigating if there is already an IETF WG that may be a fit for this work, or alternatively will discuss with the IESG about a BoF for it. ASAP I've a clear view on this, I will inform all those interested, maybe is also appropriate then a short "summary" message in this list. Regards, Jordi El 25/4/19 18:12, "Ángel González Berdasco" <angel.gonzalez@incibe.es> escribió: On 25-04-2019 16:45 +0200, JORDI PALET MARTINEZ wrote: > I will rather prefer an IETF standard for abuse reporting ... already thought about starting it several times ... sooner or later I will write down something, so may be some other people interested to co-author? > > Regards, > Jordi Hello Jordi I would also be interested in having a standard for reporting abuses. There is X-ARF but it isn't able to encode certain information, such as multiple log entries for the same incident, or the only way to do so would be extremely verbose, to the point of being impractical if the recipient is not a bot. Best regards -- INCIBE-CERT - CERT of the Spanish National Cybersecurity Institute https://www.incibe-cert.es/ PGP Keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys ======================================================================== INCIBE-CERT is the Spanish National CSIRT designated for citizens, private law entities, other entities not included in the subjective scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen Jurídico del Sector Público", as well as digital service providers, operators of essential services and critical operators under the terms of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de las redes y sistemas de información" that transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. ======================================================================== Disclaimer: This message may contain confidential information, within the framework of the corporate Security Management System.If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law. ======================================================================== ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
participants (3)
-
ac -
JORDI PALET MARTINEZ -
Ángel González Berdasco