I did not want to target anyone in particular, so I have responded to my 
original e-mail. I have seen comments about the big guys just ignoring 
everything. I have had a non-zero number of e-mails from each of Azure, GCP, 
AWS, and Hetzner claiming that they have acted on my report. It isn't a 
significant percentage, but they're doing something about some of the reports. 


I don't think I've seen anything back from the biggest offender, Digital Ocean, 
other than auto-responders acknowledging the report. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Mike Hammett" <na...@ics-il.net> 
To: "North American Network Operators' Group" <nanog@nanog.org> 
Sent: Tuesday, April 28, 2020 10:57:10 AM 
Subject: Abuse Desks 


I noticed over the weekend that a Fail2Ban instance's complain function wasn't 
working. I fixed it. I've noticed a few things: 


1) Abusix likes to return RIR abuse contact information. The vast majority are 
LACNIC, but it also has kicked back a couple for APNIC and ARIN. When I look up 
the compromised IP address in Abusix via the CLI, the APNIC and ARIN ones 
return both ISP contact information and RIR information. When I look them up on 
the RIR's whois, it just shows the ISP abuse information. Weird, but so rare 
it's probably just an anomaly. However, almost everything I see in LACNIC's 
region is returned with only the LACNIC abuse information when the ones I've 
checked on LACNIC's whois list valid abuse information for that prefix. Can 
anyone confirm they've seen similar behavior out of Abusix? I reached out to 
them, but haven't heard back. 
2) Digital Ocean hits my radar far more than any other entity. 
3) Azure shows up a lot less than GCP or AWS, which are about similar to each 
other. 
4) Around 5% respond saying it's been addressed (or why it's not in the event 
of security researchers) within a couple hours. The rest I don't know. I've had 
a mix of small and large entities in that response. 
5) HostGator seems to have an autoresponder (due to a 1 minute response) that 
just indicates that you sent nothing actionable, despite the report including 
the relevant log file entries. 
6) Charter seems to have someone actually looking at it as it took them 16 - 17 
hours to respond, but they say they don't have enough information to act on, 
requesting relevant log file entries... which were provided in the initial 
report and are even included in their response. They request relevant log file 
entries with the date, time, timezone, etc. all in the body in plain text, 
which was delivered. 
7) The LACNIC region has about 1/3 of my reports. 






Do these mirror others' observations with security issues and how abuse desks 
respond? 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

Reply via email to