nanog mailing list archives

Re: Abuse Desks

From: Sabri Berisha <sabri () cluecentral net>
Date: Wed, 29 Apr 2020 14:24:44 -0700 (PDT)

----- On Apr 29, 2020, at 9:08 AM, Stephen Satchell list () satchell net wrote:

Hi,

That said, I use TCPWRAPPER to limit access to SSH to specific IP
addresses.  I process my LogWatch messages manually.  I pull the fire
alarm for showshoe probes, and excessive number of probes (over 30 in a
24-hour period).  No registered abuse@ address in the WHOIS?  The
offending netblock goes into my edge router ACL, because I have learned
that ne'er-do-wells without working abuse@ usually have other bad habits.


I have a very simple method to deal with that: a server with no other purpose
than to blackhole portscanning culprits. Send so much as a tcp syn to port 22
and your entire /24 goes to null0 for a month. I have a few exceptions for 
entities that I know are responsive to abuse@, but that's it.

Highly effective.

Thanks,

Sabri

Current thread:

Re: Abuse Desks, (continued)
- - - Re: Abuse Desks sronan (Apr 29)
    - Re: Abuse Desks Mel Beckman (Apr 29)
    - Re: Abuse Desks Shane Ronan (Apr 29)
    - Re: Abuse Desks Mel Beckman (Apr 29)
    - Re: Abuse Desks Mike Hammett (Apr 29)
    - Re: Abuse Desks Valdis Klētnieks (Apr 29)
    - Re: Abuse Desks Joe Greco (Apr 29)
    - Re: Abuse Desks Mel Beckman (Apr 29)
    - Re: Abuse Desks Joe Greco (Apr 29)
    - Re: Abuse Desks Stephen Satchell (Apr 29)
    - Re: Abuse Desks Sabri Berisha (Apr 29)
    - Re: Abuse Desks Mel Beckman (Apr 29)
    - Re: Abuse Desks Sabri Berisha (Apr 29)
    - Re: Abuse Desks Mukund Sivaraman (Apr 29)
    - Re: Abuse Desks Stephen Satchell (Apr 29)
    - Re: Abuse Desks Mike Hammett (Apr 29)
    - Re: Abuse Desks Stephen Satchell (Apr 29)
    - Re: Abuse Desks Mike Hammett (Apr 29)
    - Re: Abuse Desks Matt Corallo via NANOG (Apr 29)
    - Re: Abuse Desks Mukund Sivaraman (Apr 29)
    - Re: Abuse Desks Tom Beecher (Apr 29)

(Thread continues...)