Re: Proper ISP Reporting
From: Dennis Willson (taz_at_taz-mania.com)
Date: Fri, 19 Aug 2005 14:24:17 -0700 To: firstname.lastname@example.org
I sure agree with this one...
Without the destination the report can be totally useless. I work for a company
that runs Internet crawlers and a couple of times (Not very many) a crawler would
get stuck (due to a bug or a problem with their search data) and hammer someones
server (we do as much as we can to keep this from happening). To give us our own addresses
and not the destinations address doesn't help much.
Scott Fuhriman wrote:
> I work for an ISP/Datacenter where we actively take steps to assist with any
> abuse reports we receive.
> The information Jack has provided for a report is the kind of information
> that is needed, however another item is needed.
> We often get abuse reports from people and they don't leave any information
> on the attacked ip address(es). Simply giving a source IP address and what
> kind of abuse was occurring is insufficient, it is also important to provide
> the IP address(es) and ports of the destination of the abuse activity.
> Remember that the IP address may be spoofed as well, so when contacting a
> service provider do so with the realization that it may not have occurred
> from the source logged.
> It is often easier to investigate when you know the destination of the
> attack so the provider can monitor any traffic from their network to the
> destination. Sanitized log files from the victim is also another item to
> consider providing the provider once you have established communication with
> Unfortunately, many ISPs out there don't have the skill, experience or
> proper infrastructure to mitigate malicious activity. This is when you must
> take mitigation measures into your own hands or your direct upstream
> provider can assist you if you don't get a response from the possible
> offending providers network.
> -----Original Message-----
> From: McKinley, Jackson [mailto:Jackson.McKinley@team.telstra.com]
> Sent: Wednesday, August 17, 2005 4:26 PM
> To: Jason Burton
> Cc: email@example.com
> Subject: RE: Proper ISP Reporting
> + Contact Information for the Incident Reporter
> - Name
> - E-mail address
> - Phone number
> - Location (Time zone and country)
> + Incident Details
> - Date/time that the incident was discovered
> - Type of incident (e.g., denial of service, malicious code, unauthorized
> access, inappropriate usage)
> - Date/time that the incident occurred (if known)
> - Current status of the incident (e.g., ongoing attack)
> - Source/cause of the incident (if known), including hostnames and IP
> - Description of the incident (e.g.what occurred)
> + General Comments
> Extra notes:
> * Remember the person that looks at the email first will most likely be a
> low level engineer 1st to 2nd level. Try not to be over technically but make
> it clear a "Security person" should look at it.
> * Use statements like "Assist with the resolution" and "Help us to solve
> this issue" Make it out that they can work with you to fix it no just them
> do it.
> * Leave as much info in the logs that you send as possible. Some times its
> easyer to track traffic from its distination rather then its source.
> * NEVER EVER EVER EVER say you will do anything legal if they don't fix it
> ASAP... Matter of fact never use the work "legal" in any way.. The moment
> you do that you start a new game, and then everything must be looked at by
> legal before it goes anywhere. Thus slowing the process down a LOT! We all
> know how good at red tape legal are :P
> * I always send to more then 1 address.. Abuse@isp, hostmaster@isp,
> postmaster@isp, Helpdesk@isp, noc@isp, gnoc@isp, soc@isp. Are always good
> places to start.
> * Saying things like we have forward you details to the <Insert Agency name
> here> will only have the same effect as point 3. and they don't need to
> know you have done this.
> * You can try login it as a Fault with the ISP's helpdesk. This will mean
> they will have call back alarms and PKI's to think of... ;)
> * Also expect things to take time. Personally in the past when I have
> worked on abuse reports for ISP's it has taken time to deal with them.
> Its not like you can just switch of customer or machine XYZ.. You have to
> gather info, look into it from your end, contact the customer, check with
> the customers contract / AUE. Then if the customer does nothing you can do
> it.. But that can take some time.
> * solve the issue with in your scope of control if you can. Get you
> Upstream to block it (if you have one ;) )
> -----Original Message-----
> From: Jason Burton [mailto:firstname.lastname@example.org]
> Sent: Wednesday, 17 August 2005 12:02 PM
> To: email@example.com
> Subject: Proper ISP Reporting
> Anyone have samples of how to properly report to ISP's regarding abuse?
> ie. What format the email should be in, sample phrases, or sentences that
> might help. I've been doing this for a while and while some work, some have
> not. Im wondering if anyone has examples.
> Jason Burton
> Leximedia LLC