Network security is a priority for service providers. Akamai’s 2016 State of the Internet Security Report shows a 125% increase in Distributed Denial of Service (DDoS) attacks and a 26% increase in web application attacks, with 50% of bot traffic is identified as malicious. Companies like Abusix have specialist products like AbuseHQ, which integrates your network security and quickly reveals insights that are buried deep within your network’s IP abuse report. It does this in a number of ways:

Providing Insights Based On Abuse@reports

To identify network abuse and differentiate between priority reports and reports that can be dealt with at a later stage, AbuseHQ processes reports from over 3,000 reporters during an average week. Reporters include feedback loops from AOL, Comcast, Microsoft, as well as copyright, trademark, and DMCA reports, CC-IRC (Canadian Government), Child Exploitation, Malware, Blocklist reports, Shadowserver, and many more.  

Importing any type of security data to AbuseHQ is easy through the AbuseHQ API. The API allows you to import edge system reports and logs, as well as data from web portals into AbuseHQ.

See also: The Importance Of Correctly Interpreting Network Abuse Reports

Subscription Versus Non-Subscription Feedback Loops

Some OSINT feedback emails will be sent without a subscription. Phishing and copyright data are examples of data often presented in this fashion. Other feedback loop emails require a subscription.  

The following reporters allow you to sign up all your CIDR Ranges and IP addresses (ASNs) for feedback loop reports:

Primary Reporters

•    AOL
•    Google Safe Browsing reports for ASN’s
•    Microsoft JMRP
•    Shadowserver
•    Spamcop
•    Spamhaus PBL

Secondary Reporters

•    Earthlink
•    Project Honeypot
•    QQ
•    United Online (Juno / Netzero)
•    Yandex
•    Zoho

Paid Reporters

•    Netcraft
•    Signal Spam

Subscription FBL Reporters who limit IP address subscriptions

The following reporters limit IP address sign up to a maximum of 65,000 IP addresses for each application submittal and also require WHOIS RDNS and, in some cases, DKIM and or DomainKeys.

To get the most out of these FBLs, access and hosting providers should focus on signing up their IP addresses for managed service platforms like hosted email and web services (WordPress).

Primary Reporters

•     Charter / Time Warner Cable (RoadRunner)
•    Comcast
•    Cox
•    Rackspace (Signup shared email service IP addresses only, it requires DomainKeys or DKIM)
•    Yahoo! (MTAs only; requires DomainKeys or DKIM)

Secondary Reporters

•    Excite (hosted by BlueTie)
•    Fastmail
•    OpenSRS (Tucows)
•    Synacor
•    Telenor
•    Terra
•    USA.NET
•    XS4ALL
•    Zoho

See also: Common Inbound Abuse Channels That You Should Be Using For Solid Service Provider Security

Providing Clarity With The Abuse Data Service

Abusix processes over 150 billion individual events annually, and then supplies this data to security, brand, and fraud protection vendors, as well as government agencies. This data is also available to network owners to detect spam, fraud, and abuse in real-time as it occurs on their network.

All instances of AbuseHQ automatically contain the Abuse Data Service (Abusix’s trap feed), Abusix honeypot reports, and spamvertised/ns-vertised feeds when the system is turned on.

Honeypot reports (or events) are attacks of these honeypots within your network. This allows you to see network abuse in real-time, and to take proactive action before you end up on any blacklists.

Identifying Customers Creating Abuse

AbuseHQ comes preconfigured with the event IP address as the default customer ID, regardless of whether the report is an IP address or domain report. In the case of the latter, the system automatically looks up the IP address corresponding to the hosted domain.  

Subsequently, additional customer resolvers identify customers at every event. The most common other resolvers include:

• An email resolver may be configured to use message header elements (provided in an ARF or other report) as the customer ID or a query element through the API customer resolver.
• An API resolver may be configured to look up a web resource or a customer ID for IP addresses, email addresses or domains, and a timestamp.   

An API resolver can be particularly helpful when environments include ranges that are:

• Dynamic IP address assignment (connectivity)
• Shared IP address(es) (web sites or other types of hosted service)

Setting up customer resolvers is quick with Abusix’s assistance – all AbuseHQ needs is a web resource to query.

For more information about how AbuseHQ can integrate your network security and provide you with an IP abuse report that resolves up to 99% of network abuse incidents, get in touch with a network abuse specialist today.