14

I'm setting up a small business that will be providing internet service for a niche market. We'll be offering fully unrestricted and unmonitored (as much as the law allows - and while we'd rather not we will still have the ability to capture packets if justified) internet access, and I am not sure how should we respond to abuse reports (a Google search didn't find anything relevant).

Let's say I get an e-mail about SSH bruteforce coming from one of our customer's IPs. How do I tell whether it's genuine and not a troll (log entries and even .pcaps can be faked)? How do the big ISPs do it (for those that actually care about abuse reports I mean)?

Similarly, complaints about spam e-mail, how do I check whether they're genuine before acting upon them? Is this even a problem? Have there been instances where trolls would report someone for allegedly doing bad stuff in hopes of getting them in trouble with their provider?

Am I condemned to log every single packet leaving my network or is there an industry standard solution that doesn't go to such extremes?

Regards.

André Borie
  • 749
  • 1
  • 7
  • 21
  • Why would you handle abuse reports at all? – Michael Hampton Mar 12 '17 at 22:58
  • 6
    What do you mean? If someone is legitimately complaining about one of our customers spewing out spam/DoS/bruteforce I want to do something about it, just like I don't appreciate being at the receiving end of those attacks (and I doubt anyone is). – André Borie Mar 12 '17 at 23:00
  • 2
    That's a good answer. So, what's in your terms of service? – Michael Hampton Mar 12 '17 at 23:02
  • 1
    Terms of service allow us to terminate someone's connection for whatever reason, and acceptable use policy would prohibit DoS, spam, bruteforce, basically anything we deem malicious. My main question is that following a complaint, how should I judge whether it's genuine or a troll/mistake? Logging every packet would do it but that's technically impossible even if we wanted to do it, so I'm asking how the big players do it. – André Borie Mar 12 '17 at 23:05
  • 4
    @MichaelHampton A machine spewing SSH bruteforce attacks is likely compromised. If you have reason to believe that one of your customers is compromised and you don't even tell them, you are terrible at your job. – David Schwartz Mar 12 '17 at 23:10
  • @DavidSchwartz I have to agree. Unfortunately there are far too many ISPs out there who are terrible at their jobs, because the Internet is still awash in SSH brute force attacks. – Michael Hampton Mar 12 '17 at 23:15

2 Answers2

22

Generally speaking, you are acting as a neutral carrier and probably shouldn't be inspecting content. The general process for handling abuse reports is to setup a ticket system or even just a mailbox that picks up for abuse@yourdomain and then forward reports to the end user.

I'm saying generally because while I have plenty of specific experience in this area, how it's done at our place won't be exactly how anyone else does it. You need to tailor the approach to the services you offer. That being said, I can give you some advice that's not too specific and forms the basis of how most places handle abuse. I am not a lawyer though and this shouldn't be interpreted as being anyone's opinion but my own, just in case someone is crazy enough to track down who my employer is.

Hopefully some of this is helpful though.

Basic procedure:

  1. You have an abuse email address.
  2. Mail comes in to abuse queue
  3. Tell the abuse reporter you'll pass it on.
  4. Look up which customer is using that IP, forward them the report and ask if they know what's going on.
  5. Providing the end user doesn't respond with something really stupid, an instruction along the lines of "Please don't let it happen again" is for the best. There are legitimate projects that trip abuse reports, but mostly these happen because of security researchers, if that's not your niche then you won't need to worry.
  6. Go to step 1 and repeat.

Most times one loop through is enough. Abuse spoofing is not something I've really seen much of, I mean it happens but it's been really obvious since they're trying to get the person in trouble while legit abuse reports tend to be of the "We don't care why it's happening, just make it stop" kind.

Things you should do

You'll probably see a few piracy warnings, a bunch of spam reports, the occasional more esoteric warning... Server hosting trends towards a bigger variety, broadband is more piracy, everyone gets spam reports. Forward all of them. Most of the time the customer is going to plead innocence, then either clean up their PC or clean up their act. If they're determined to keep at it they'll probably cover their tracks better.

Usually abuse reports are generated in response to actions by compromised machines... the problem children like to make a mess in someone else's front yard so that it doesn't track in to their house and make their parent's unhappy. Assume that the customer isn't intentionally sending out spam. Try to give customers the benefit of the doubt the first time they get a report against them.

Warnings might take a while to stop if you've got a really prolific spammer, but if you continue to see reports with events after a customer has been warned, or they get a lot of complaints, you might want to consider terminating them for AUP violations. You'll probably realise pretty quickly if someone is faking reports enough to reach that point.

Have traffic volume graphing. Most abuse report types (spam, copyright, ddos) will light up a traffic graph... was averaging 40kbit but suddenly jumped to 10mbit and stayed there for hours? Don't do anything until someone complains or it starts to impact customers, but irregular traffic will certainly give you ammo.

Things not to do...

Don't give out customer information unless someone hands you a court order and you can prove that order is legit. Some abuse reporters will ask for information in the hopes of getting a co-operative provider, but if you turn it over to anyone other than a court then you are probably creating legal issues for yourself. The police are generally not going to email you asking for your customer's billing contact, and even if they did you should still be telling them that you can only provide that information in person and on presentation of an appropriate court order.

Don't turn off a customer just because someone contacted your abuse queue and asked you to. If they're reporting abuse you need to get them to provide some kind of evidence which you can act on... I said that abuse report faking wasn't common, I didn't say it didn't happen. How much you see it depends entirely on how much of a target your customer base is. Little old ladies probably aren't going to attack the attention of trolls, twitch streamers on the other hand might.

Similarly, don't let abuse reporters bully you... some people can get really threatening and aggressive with their report if you don't instantly obey their orders. Your responsible as a conduit is to forward on the notices and take timely action if the customer isn't co-operative. You only become responsible if you know the customer is doing something bad and let them continue. Have a sensible (read: not favouring pirates) policy and stick to it, that'll help if anything does go screwy. If you only provide bandwidth and not hosting, you probably aren't responsible for taking down the content unless your customer fails to do so when you ask them.

Don't stress out too much. 99.9% of abuse reports at an ISP are really boring procedural stuff that amounts to "I saw this bad thing come from your network, it's probably a compromised machine, please look in to it."

In most cases, comparing the reported event time to the traffic graph will tell you the legitimacy of the report. Hostile processes don't send out emails or port scans in ones or twos.

One last thing.

If you do ever get an abuse case where the police are involved, make sure to ask explicitly what they want you to do for them but don't expect them to have super technical answers. Sometimes the police aren't entirely familiar with the tech involved (I've been told that on one occasion they wanted to visit us to physically seize a VPS, that was fun) but they do have an idea of what they want to accomplish. Exactly what sort of thing they're going to be after depends entirely on exactly what type of services you provide.

Kaithar
  • 1,025
  • 6
  • 10
4

If your going to deploy as an unmonitored ISP, you probably wouldn't be able to confirm that malicious traffic is traveling through your network. Otherwise, you'd most likely need to set up some form of basic traffic monitoring, at the very least a TCPDump system.

You may also want to set up some kind of ticketing system and pass severe complaints on to your customers. Require responses within a certain amount of time, with service bans as a result of not replying or rectifying the problem, etc.

You can't always determine if a report is true or false, but in my experience you'll quickly learn to gauge the validity. Set requirements for submitting abuse complaints -- for example, require traffic or access logs clearly showing your network involvement.

Spam complaints typically include the email headers and source, so you can make individual case by case decisions on how to handle them. SpamCop should have some good

Get familiar with DMCA or equivalent U.K. Copyright laws.

You'll likely have to set some precedents for yourself and help set the tone for how your service can be used.

Good Luck

iisor
  • 41
  • 4
  • Ticketing system is already in place, and tcpdump is definitely possible on a case by case basis, I was just wondering whether there were other solutions, but looks like that's it. Thanks for your answer. – André Borie Mar 12 '17 at 23:57