On Thu, 2004-12-09 at 01:08 +0000, Jez Hancock wrote:
On Tue, 7 Dec 2004 23:46:21 +0000, Jez Hancock <jez.hancock@gmail.com> wrote:
I did something similar in a perl script when my network became the
target of (relatively small scale - less than a dozen at a time)
distributed denial of service attacks a while ago. After detecting a
sustained attack from a set of IP addresses - ie a number of
unacceptable log entries in the firewall log from certain addresses -
I would initiate this script to help me build an abuse report that I
could forward to the ISPs responsible for the addresses involved in
the attacks. For each address the process of building the report
would be cut from 5-10 minutes down to just a minute or two.
For anyone interested, the perl abuse report script mentioend above
can be found here:
http://munk.nu/programming/perl/abuse_report.pl
I've just added a considerable amount of description to the script
(the text is probably longer than the script now :grin:) which
describes the problem of reporting abuse. Any comments are welcome:
(snipped)
Jez,
Sad to say, but for anything significant I've resorted to that most
old-fashioned of communications mediums, the telephone; this really
varies based on your line of work and which sector you work in, but I
find that in my professional life, I encounter a relatively low number
of incidents which I'd consider extremely serious.
To that end, when these issues do crop up (and this is really specific
to DoS issues), whilst I have automated the process of gathering
information on source addresses before now (mostly by scripting in order
to swiftly get information without having to manually sift through
netstat output and firewall logs in order to get source IPs and then
whois them), but rather than sending out e-mails, I've actually called
up the network operator in question. I've done this at least a dozen
times in the last two years, and I've found that in almost every
instance, I've had a useful response.
Obviously in the case of a DoS attack, there isn't much which you
accomplish by having one host disconnected from the 'net, but in a
smaller subset of those dozen cases, I've actually been able to make
useful progress with the tech at the other end. If you are interested in
being very proactive, I have encountered more than one technical contact
who was prepared to disconnect and dissect a machine in order to track
down the attacker.
Automating the attack investigation and e-mail drafting is a great idea,
but I'd be a little careful about it - you may find that netadmins get a
little offended if they think they're being sent one-fits-all e-mails
which have had little or no human intervention! That said, I've
downloaded a copy of the script and I'll have a play about with it if I
get time ;)
regards,
- James.
