By: Bart Vrancken
Since 2009, BIT has been using AbuseReporter, a tool they developed themselves, for receiving and processing abuse reports. The idea behind AbuseReporter is to be able gather as much information as possible without too much trouble and then to inform the clients (automatically or not).
Because I have had more than one request from (mostly the smaller) ISPs to provide them with a tool like AbuseReporter, I decided to start a new project a little while back. With the intent to enable all interested ISPs or hosters to have access to free and open source software that could provide all these services. Derived from BIT's AbuseReporter, but in collaboration with other ISPs/hosters, this project has grown to become AbuseIO.
With AbuseIO, any ISP or hoster could easily process its abuse. For many of the smaller businesses, dealing with abuse reports is not a top priority, since it is usually quite time consuming. By the time the report finally reaches the end user, it would be several days later. In case of, for example, botnet infections, that would mean the end user would be too late and its account could be emptied already.
AbuseIO makes it possible to inform the ISP's/hoster's clients within an hour from the abuse reports. In my experience with BIT's abuse reports, I noticed that quickly providing information leads to a big reduction in the duration of the abuse. Most cases are resolved within one or two days. Not only is the duration of the abuse shortened, but also by clearly displaying historical data, the ISP/hoster is able to get a better view on the use of the internet connection. A client that is continually having trouble online needs a different approach than someone who accidentally visited a wrong site and got a (botnet)virus on his system.
The collection of information has changed a lot as well since 2009. Before, the focus was mostly on SPAM and the odd hacked website, but nowadays we are looking at a much wider range of internet services. Next to that, several initiatives have been launched by multiple parties to make abuse information available for internet providers. By allowing access to more data sources (feeds), it is possible to get a much better image on the (possible) abuse in your own networks. That way not only the real abuse reports (like SPAM, botnet infections or hacked and/or phishing websites) will be processed, but systems that could be vulnerable to future abuse as well.
You would prefer to proactively inform your clients on things like open UDP ports or the systems that are still susceptible for the POODLE leak, then to tell them about the damage they have done after it has happened. In most cases, the manager of the system is not in the know of this potential problem. The problematic software has often been installed as a dependency along with other software, but it has not been configured or secured. By pointing this out to clients and giving them tips to secure such services, we try to prevent the abuse of their systems. Most clients respond very positively to this proactive behaviour of BIT's in fighting (possible) abuse.
This system creates a complete workflow, from processing reports to informing the end user.
In addition to the report, we try to provide more information as to why this is a problem and why the end user of the system would want to solve this problem. Finally, we offer a number of examples to support the end user, without them needing to go online to find them for themselves.
By now, we are far along to officially launch the first version of AbuseIO in April. The system can combine and process reports from all big data sources (like Shadowserver, SpamCop, IP Echelon, Google Safe Browsing, Project Honey Pot, Clean MX, C-SIRT, Netcraft and many others). This means that the receivers (the ISPs/hosters) will not see many double reports.
There is a lot of interest, mostly because abuse control is becoming increasingly important. We get more and more positive feedback from both the smaller and the larger ISPs and hosters.
A frequently asked question is 'How does AbuseIO compare to AbuseIX?'. To our knowledge, AbuseIX provides aggregated data from 'trusted notifiers' (parties like SpamCop, NetCraft, etc.) on its clients' network(s). AbuseIO can split this data at the ISP/hoster into separate end users again and also take care of its processing. AbuseIO can be used in addition to AbuseIX, but it also functions on its own.
At the moment, we are running a beta version to work on the last finishing touches. If you already have an interest to work with AbuseIO, you can do a checkout of the software on https://abuse.io. We are gathering more information there on how to get data and what the best ways are to act based on this data.
On IRC (FreeNode), you can find our channel under the name #abuseio, where you can post questions and comments on this project. If you do not use IRC, you can always send me an email at firstname.lastname@example.org.
Finally, ISPs/hosters who are starting with AbuseIO might also be interested in the Abuse-NL Community. Abuse.nl aims to informally contribute to fighting abuse in general, and within Dutch networks in particular. Direct and informal contacts within the abuse.nl community enables a quick response to current incidents in the networks. By sharing practical experience, participants help each other find the most efficient, effective and structural way to deal with such incidents. The shared technical knowledge makes it possible to make the right choices. The community also forms a good basis to stay up to date with current incidents that impact an abuse desk. Interested parties who wish to have more information or who want to register with the Abuse-NL Community, can go to http://www.abuse.nl.