Hi there,
when looking through traffic analysis, I can more or less easily identify IP addresses that exhibit bad behavior (like massive port/address scanning, attempting to log into joomla/wp administration URLs, POP3/SMTP account scanning, etc) which need to be blocked. Now, since most of these IPs are not the actual culprits, but merely infected machines, it would be helpful for the internet health as a whole to report such incidents to their respective ISPs. Here's where the problem starts:) My manual approach would be to lookup whois data for the respective IP (which by itself can be a multi step process, since you first need to find the right registry), and look for an abuse-contact there. But, whois isn't exactly engineered for automated mass lookups (+), and if I did this I'm sure I'd probably be violating terms of use of at least some of the registry whois servers, and be locked out. So, what alternatives are there? I saw that abuse.net keeps a nice DNS based lookup service for domain names, but they unfortunately don't do this for IP addresses. How are others doing this? I know I occasionally received output of fail2ban scripts when working for a larger ISP. Are these all in-house local developments?
Cheers, Markus
(+) joomla/wp scans alone yielded > 3000 ip addresses in one day for our little network...
Hi Markus
So, what alternatives are there?
How about using services from Dshield (http://www.dshield.org/howto.html) or Threatstop (http://www.threatstop.com/IP-Reputation-Service-Overview especially step 5)
Basically you submit your logs and they do the lookup for you and you can benefit from getting offendig IPs from other ISPs.
Regards
Jean-Pierre
Hi Markus
There are a couple of standardized abuse report forms to report incidents or spam which can automaticly be processed by abuse desks.
Ask Google for ARF oder X-ARF
Then there is the problem of finding the abuse contacts. I agree, whois reply parsing is absolutely ugly, especialy as you have to follow refferals in the case of ARIN and APNIC.
RIPE is easy, they have an API you can query:
https://apps.db.ripe.net/search/abuse-finder.html https://labs.ripe.net/ripe-database/abuse-handling-in-the-ripe-database
Example API call in JSON:
https://apps.db.ripe.net/whois/use-cases/abuse- finder.json?source=ripe&primary-key=157.161.1.2
(also works without ssl)
Apparently Afrinic offers a similar API which I haven't found yet. If anyone knows of other such APIs on the other RIR, I would be delighted to know about them.
And of course there is the abusix.org contacts database via DNS:
$ host -t txt 0.0.161.157.abuse-contacts.abusix.org 0.0.161.157.abuse-contacts.abusix.org descriptive text "abuse@imp.ch"
Mit freundlichen Grüssen
Benoit Panizzon
On 2013-08-23 09:43, Markus Wild wrote: [..]
My manual approach would be to lookup whois data for the respective IP (which by itself can be a multi step process, since you first need to find the right registry), and look for an abuse-contact there. But, whois isn't exactly engineered for automated mass lookups (+), and if I did this I'm sure I'd probably be violating terms of use of at least some of the registry whois servers, and be locked out. So, what alternatives are there? I saw that abuse.net keeps a nice DNS based lookup service for domain names, but they unfortunately don't do this for IP addresses. How are others doing this? I know I occasionally received output of fail2ban scripts when working for a larger ISP. Are these all in-house local developments?
Please check for instance:
https://code.google.com/p/collective-intelligence-framework/ or http://csirtgadgets.org/
Greets, Jeroen
-
Benoit Panizzon -
Jean-Pierre Schwickerath -
Jeroen Massar -
Markus Wild