Nine InfoSec Courses at SANS Chicago 2017. Save $200 thru July 19.

IDFAQ: Who do I contact when I receive unusual traffic from a host?

By: Donald McLachlan and the GIAC community

The question is always who to contact when you receive unusual traffic from a host. Here are the methods GIAC analysts use.

Hubert Weikert suggest that the simplest way to query all the whois databases is to use a 'whois proxy' like http://www.geektools.com/cgi-bin/proxy.cgi

This program automaticaly finds the right registry or whois service based on the query.

Patrick Oonk suggests:You might like the whois from http://www.linux.it/~md/software/, which is very smart and knows where to look for what you are searching. Give it a try, I never leave home without it :)

Also, http://www.abuse.net/lookup.phtml is very handy to look up abuse contacts.

Unix users may want to try the following techniques:

One can use DNS to find a contact for an IP address. This is done by looking for the contact listed in the "Start Of Authority" for the IP number or name. Assuming you are starting with the IP number, use the command:
don> dig -x AAA.BB.CC.DDD soa
If you have an IP name, omit the "-x" and use the command:
dig host.name soa
Look for the "AUTHORITY RECORDS:" information that looks like this:
;; AUTHORITY RECORDS:
CC.BB.AAA.in-addr.arpa. 28800 SOA ns1.XXX.XX. root.XXXXXXXXX.XXXX.XXX.XX. (
   2000021700 ; serial
   3600 ; refresh (1 hour)
   900 ; retry (15 mins)
   604800 ; expire (7 days)
   28800 ) ; minimum (8 hours)
What you are looking for here is the info in the same location as root.XXXXXXXXX.XXXX.XXX.XX. above. To contact the SOA for the DNS domain, change the first "dot" to an "at", and send your gripe-mail there. E.g.
mail root@XXXXXXXXX.XXXX.XXX.XX
If you don't have dig, but you do have nslookup, the sequence of commands:
nslookup
set type=soa
DDD.CC.BB.AAA.in-addr.arpa.
exit
Note:
  • this example assumes you are starting with an IP address. If you have a hostname, replace "DDD.CC.BB.AAA.in-addr.arpa." with "host.name".
  • the numbers in the address are reversed. If you want to lookup 10.1.2.3 this way, the 3rd line would be 3.2.1.10.in-addr.arpa.
-----

To use the registries, one can use a web browser but I find it faster and easier to use "whois". Unless I know where the host is registered I always start off at arin with the following command:
whois -h whois.arin.net 10.1.2.3
Now I'm your typically lazy Unix type so I have the following aliases defined to make life easier for myself:
alias arin"/usr/ucb/whois -h whois.arin.net"
alias ripe"/usr/ucb/whois -h whois.ripe.net"
alias apnic "/usr/ucb/whois -h whois.apnic.net"
alias jpnic "/usr/ucb/whois -h whois.nic.ad.jp"
alias aunic "/usr/ucb/whois -h whois.aunic.net"
alias milnic "/usr/ucb/whois -h whois.nic.mil"
alias govnic "/usr/ucb/whois -h whois.nic.gov"
alias krnic "/usr/ucb/whois -h whois.krnic.net"
So all I have to type is:
arin XX.X.X.X
Look for "Coordinator:" and there should be at least one way to contact them listed, and often an e-mail address, a telephone number, and a fax number are given. Sometimes the address you are dealing with is not listed in ARIN, but ARIN will tell you where to get the info you need, e.g
don> arin XXX.XX.XXX.XXX European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C)
   These addresses have been further assigned to European users.
   Contact information can be found in the RIPE database, via the
   WHOIS and TELNET servers at whois.ripe.net, and at
   http://www.ripe.net/db/whois.html
[ snip ]
So now I try ripe, and get an e-mail address from there:
  don> ripe XXX.XX.XXX.XXX

  % Rights restricted by copyright.
  See http://www.ripe.net/ripencc/pub-services/db/copyright.html

  inetnum: XXX.XX.XXX.XXX - XXX.XX.XXX.XXX
  netname: XXXXXXXX
  descr:XXXXXXXX WWW server
  descr:Zagreb, Croatia
  country: HR
  admin-c: XXXXXX-RIPE
  tech-c: XXXXXX-RIPE
  status: ASSIGNED PA
  mnt-by: XXX-MNT
  changed: XXXXX.XXXXXXXXXXXX@XXX.hr 19981103
  source: RIPE

  route:XXX.XX.0.0/16
  descr:XXX-Internet
  origin: XXXXXX
  remarks: The same thing with objects in MCI database.
  mnt-by: XXX-MNT
  changed: XXXXX.XXXXXX@XXX.hr 19980826
  changed: XXXXX.XXXXX@XXX.hr 19991201
  source: RIPE

  person: XXXXXX XXXXXXXX
  address: XXXXXX XX
  address: 10000 Zagreb
  address: Croatia
------> phone: XXXX X XXXX XXX
------> fax-no: XXXX X XXXX XXX
------> e-mail: XXXXXXX@XXXXXXXX.hr

[ snip ]
-----

Actually there is a third set of addresses I might try. These are a last resort since it is possible that these addresses be monitored by a hacker that that owns the host:
root@ip.of.bad.hst or root@bad.host
postmaster@ip.of.bad.hst or postmaster@bad.host
webmaster@ip.of.bad.hst or webmaster@bad.host
abuse@ip.of.bad.hst or abuse@bad.host
What was the Melissa virus and what can we learn from it?
 
Preventing SYN Flooding with Cisco Routers
IDFAQ: Who do I contact when I receive unusual traffic from a host?
Baltimore Fall 2017
Latest Whitepapers

Securing Industrial Control Systems-2017
By Bengt Gregory-Brown

Using Docker to Create Multi-Container Environments for Research and Sharing Lateral Movement
By Shaun McCullough

Loki-Bot: Information Stealer, Keylogger, & More!
By Rob Pantazopoulos

Last 25 Papers »

Latest Tweets @SANSInstitute

Understand attackers' tactics & strategies in detail wit [...]
July 13, 2017 - 4:50 PM

Newly discovered #cyberattack vectors, vulnerabilities with [...]
July 13, 2017 - 4:45 PM

Limited Time MacBook Air Special Offer | Training on Your Te [...]
July 13, 2017 - 4:02 PM

Contact Us

301-654-SANS(7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training and awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP