Hi Alessandro,
Am 20.06.22 um 18:04 schrieb Alessandro Vesely:
Our abuse mailbox is not overflowing with these, of course, but it makes
semi-automated handling a bit painful. For example, we would like to forward
these information to our customers, but we wont need to take further action on
this, because we refuse to break into the offices of our customers at night and
patch their software.
sorry to bother, but I hardly got that. Are these IP-driven messages? Don't
CERTs lookup the abuse address with RDAP or WHOIS?
The reports we get from CERT-BUND are highly IP focused. I cited one of these
report as an example at the end of this mail.
In general, I think these organizations we get mail from are downloading the
database from RIPE and are using an offline version.
Why doesn't the abuse address point (in)directly to the relevant IP user? That
is, what's wrong in automatically forwarding CERT's security notices? I cannot
understand how doing so entailS obligations to reach the customer's premises at
night.
If I point the abuse address directly to an address controlled by the customer,
I don't get any notices - regardless of security information or real abuse.
And I'm interested in the latter one, as I want to stop the abuse, of course ;-)
Therefore all abuse reports are handled by our internal system to be
automatically escalated to the appropriate internal and external contacts.
But for notices like "Oh, we think there might be a vulnerable service reachable on
that IP" we don't want that whole escalation thing.
Also, most of these notices contain a list of addresses, but sometimes, these
lists are not stable parseable because there seems to be no standardized format.
Reports we receive from CERT-BUND come with a CSV file which we are able to
parse - but in the last months there came several new other services with their
own data formats
and I suspect, there will come more.
If I could "route" these reports directly to the customer, this would improve
reporting speed and keep these away from our regular abuse desk with escalations and all
that stuff.
This is one of the mails we more or less regularily get from CERT-BUND,
reporting open DNS resolvers:
-------------------------------------------------------------------------------
Dear Sir or Madam,
open DNS resolvers are abused for conducting DDoS reflection/
amplification attacks against third parties on a daily basis.
Please find attached a list of open DNS resolvers hosted on
your network which can be abused for DDoS reflection/amplification
attacks if no countermeasures have been implemented. The timestamp
indicates when the open resolver was identified.
We would like to ask you to check if the open resolvers identified
on your network are intentionally configured as such and appropriate
countermeasures preventing their abuse for DDoS attacks have been
implemented.
If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.
Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
<https://reports.cert-bund.de/en/>
This message is digitally signed using PGP.
Information on the signature key is available at:
<https://reports.cert-bund.de/en/digital-signature>
Please note:
This is an automatically generated message. Replies to the
sender address <repo...@reports.cert-bund.de> will NOT be read
but silently be discarded. In case of questions, please contact
<certb...@bsi.bund.de> and keep the ticket number [CB-Report#...]
of this message in the subject line.
!! Please make sure to consult our HOWTOs and FAQ available at
!! <https://reports.cert-bund.de/en/> first.
Mit freundlichen Grüßen / Kind regards
Team CERT-Bund
Bundesamt für Sicherheit in der Informationstechnik
Federal Office for Information Security (BSI)
Referat OC22 - CERT-Bund
Godesberger Allee 185-189, 53175 Bonn, Germany
-------------------------------------------------------------------------------
And this is the CSV file, IP addresses and ASN replaced with dummy values:
-------------------------------------------------------------------------------
"asn","ip","timestamp"
"65535","192.0.2.1","2022-07-02 00:17:09"
"65535","203.0.113.5","2022-07-02 00:36:42"
"65535","198.51.100.26","2022-07-02 00:49:26"
-------------------------------------------------------------------------------
Greetings,
Max
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
