RE: Proper ISP Reporting

From: Scott Fuhriman (fuhrimans_at_llix.net)
Date: 08/18/05

  • Next message: Eduardo Vela: "Re: New Virus?"
    To: "'McKinley, Jackson'" <Jackson.McKinley@team.telstra.com>, "'Jason Burton'" <jab@leximedia.net>
    Date: Thu, 18 Aug 2005 10:50:20 -0700
    
    

    I work for an ISP/Datacenter where we actively take steps to assist with any
    abuse reports we receive.
    The information Jack has provided for a report is the kind of information
    that is needed, however another item is needed.

    We often get abuse reports from people and they don't leave any information
    on the attacked ip address(es). Simply giving a source IP address and what
    kind of abuse was occurring is insufficient, it is also important to provide
    the IP address(es) and ports of the destination of the abuse activity.
    Remember that the IP address may be spoofed as well, so when contacting a
    service provider do so with the realization that it may not have occurred
    from the source logged.

    It is often easier to investigate when you know the destination of the
    attack so the provider can monitor any traffic from their network to the
    destination. Sanitized log files from the victim is also another item to
    consider providing the provider once you have established communication with
    them.

    Unfortunately, many ISPs out there don't have the skill, experience or
    proper infrastructure to mitigate malicious activity. This is when you must
    take mitigation measures into your own hands or your direct upstream
    provider can assist you if you don't get a response from the possible
    offending providers network.

    Scott

    -----Original Message-----
    From: McKinley, Jackson [mailto:Jackson.McKinley@team.telstra.com]
    Sent: Wednesday, August 17, 2005 4:26 PM
    To: Jason Burton
    Cc: incidents@securityfocus.com
    Subject: RE: Proper ISP Reporting

     + Contact Information for the Incident Reporter
    - Name
    - E-mail address
    - Phone number
    - Location (Time zone and country)
    + Incident Details
    - Date/time that the incident was discovered
    - Type of incident (e.g., denial of service, malicious code, unauthorized
    access, inappropriate usage)
    - Date/time that the incident occurred (if known)
    - Current status of the incident (e.g., ongoing attack)
    - Source/cause of the incident (if known), including hostnames and IP
    addresses
    - Description of the incident (e.g.what occurred)
    + General Comments

     

    Extra notes:
    * Remember the person that looks at the email first will most likely be a
    low level engineer 1st to 2nd level. Try not to be over technically but make
    it clear a "Security person" should look at it.
    * Use statements like "Assist with the resolution" and "Help us to solve
    this issue" Make it out that they can work with you to fix it no just them
    do it.
    * Leave as much info in the logs that you send as possible. Some times its
    easyer to track traffic from its distination rather then its source.
    * NEVER EVER EVER EVER say you will do anything legal if they don't fix it
    ASAP... Matter of fact never use the work "legal" in any way.. The moment
    you do that you start a new game, and then everything must be looked at by
    legal before it goes anywhere. Thus slowing the process down a LOT! We all
    know how good at red tape legal are :P
    * I always send to more then 1 address.. Abuse@isp, hostmaster@isp,
    postmaster@isp, Helpdesk@isp, noc@isp, gnoc@isp, soc@isp. Are always good
    places to start.
    * Saying things like we have forward you details to the <Insert Agency name
    here> will only have the same effect as point 3. and they don't need to
    know you have done this.
    * You can try login it as a Fault with the ISP's helpdesk. This will mean
    they will have call back alarms and PKI's to think of... ;)
    * Also expect things to take time. Personally in the past when I have
    worked on abuse reports for ISP's it has taken time to deal with them.
    Its not like you can just switch of customer or machine XYZ.. You have to
    gather info, look into it from your end, contact the customer, check with
    the customers contract / AUE. Then if the customer does nothing you can do
    it.. But that can take some time.
    * solve the issue with in your scope of control if you can. Get you
    Upstream to block it (if you have one ;) )

    Cheers

    Jack.

    -----Original Message-----
    From: Jason Burton [mailto:jab@leximedia.net]
    Sent: Wednesday, 17 August 2005 12:02 PM
    To: incidents@securityfocus.com
    Subject: Proper ISP Reporting

    Anyone have samples of how to properly report to ISP's regarding abuse?
     
    ie. What format the email should be in, sample phrases, or sentences that
    might help. I've been doing this for a while and while some work, some have
    not. Im wondering if anyone has examples.
     
    Thanks
     
    Jason Burton
    Leximedia LLC
    jab@leximedia.net


  • Next message: Eduardo Vela: "Re: New Virus?"

    Relevant Pages

    • Re: stinky human kakaa really stinks
      ... abuse reports from Japan probably won't carry much weight. ... I've reported every one of his c.s.a2 posts. ... What an utter, utter loser. ...
      (comp.sys.apple2)
    • Re: Where is dick g
      ... Abuse reports are a bunch of BS. ... The only think Dickie-Do finds funny is hitting the REPORT ABUSE ...
      (rec.travel.cruises)
    • Re: German server
      ... It's all well and good switching over to the German server, ... We need to be pro-active and snip this problem in the bud and ... the more abuse reports that are sent, the more likely action will be ...
      (uk.comp.sys.mac)
    • Re: Accident at Walton Bridge, UK, 12 January
      ... frankly I think it is already too late since reports to that department ... They reached the turning point about 2 miles above the club ... Thus each club's incident book is ... Having created a space on the British Rowing Web site for an Incident ...
      (rec.sport.rowing)
    • Re: Reason 5 to avoid the police
      ... >> was because there was no real public outcry about it. ... There had been numerous reports in the papers ... >> leading up to this incident from farmers and other land-owners concerning ...
      (uk.legal)