IMO, the answer is balance. - Handful of SSH connection attempts against a server. Nobody got in, security hardening did it's job. I don't think that is worth reporting. - Constant brute force SSH attempts from a given source over an extended period of time, or a clear pattern of probing, yes, report that.
As much as some pound on the table and say there shouldn't be, there is always going to be a level of background 'cruft' traffic between networks. Forever. An argument was made somewhere in here that "scanning" is , by itself, a problem. I disagree. There are many legitimate use cases for certain types of scans, maps, etc. It's true that it sometimes can be difficult to distinguish between a malicious scan and an innocent one. Proposing a solution of "stop all scanning" is absolutely a baby/bathwater angle. I would also challenge those that say "Oh well all these companies should have perfect flow logs and pay an army of engineers to analyze them for these 5 specific TCP SYNs from 2 weeks ago." I would bet you probably couldn't do that either. On Tue, Apr 28, 2020 at 11:59 AM Mike Hammett <na...@ics-il.net> wrote: > I noticed over the weekend that a Fail2Ban instance's complain function > wasn't working. I fixed it. I've noticed a few things: > > 1) Abusix likes to return RIR abuse contact information. The vast majority > are LACNIC, but it also has kicked back a couple for APNIC and ARIN. When I > look up the compromised IP address in Abusix via the CLI, the APNIC and > ARIN ones return both ISP contact information and RIR information. When I > look them up on the RIR's whois, it just shows the ISP abuse information. > Weird, but so rare it's probably just an anomaly. However, almost > everything I see in LACNIC's region is returned with only the LACNIC abuse > information when the ones I've checked on LACNIC's whois list valid abuse > information for that prefix. Can anyone confirm they've seen similar > behavior out of Abusix? I reached out to them, but haven't heard back. > 2) Digital Ocean hits my radar far more than any other entity. > 3) Azure shows up a lot less than GCP or AWS, which are about similar to > each other. > 4) Around 5% respond saying it's been addressed (or why it's not in the > event of security researchers) within a couple hours. The rest I don't > know. I've had a mix of small and large entities in that response. > 5) HostGator seems to have an autoresponder (due to a 1 minute response) > that just indicates that you sent nothing actionable, despite the report > including the relevant log file entries. > 6) Charter seems to have someone actually looking at it as it took them 16 > - 17 hours to respond, but they say they don't have enough information to > act on, requesting relevant log file entries... which were provided in the > initial report and are even included in their response. They request > relevant log file entries with the date, time, timezone, etc. all in the > body in plain text, which was delivered. > 7) The LACNIC region has about 1/3 of my reports. > > > > Do these mirror others' observations with security issues and how abuse > desks respond? > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com >
