On Wed, 16 Feb 2000, Barrett G. Lyon wrote: > You need to figure out who is actually doing the attack and notify their > providers with a clean description of what actually took place. If the > attack is too big to wait you get on the phone immediately and make it > someone else's problem as well. If it is real bad you can even involve > your upstream provider(s) and have them put filters in place on their end > of the network. [ Large providers hate doing this, yet if you > bark enough they will listen. ] What I am finding more and more is that ISPs are less and less willing to disclose any information about their customers. For example, I work for a medium-sized ISP. One of our machines was compromised about 2 weeks ago, and this server was then used to SYN flood and smurf foreign hosts. I traced this address back to a large ISP, who at first completely refused to assist me, and after a hassle, referred me to their operations center in Europe, who referred me back to their US operations center where I started in the first place. My simple request was for the ISP who provided the address to the attacker in the first place, as my goal was to notify them that they had potentially been compromised and to inquire about this ISP's acceptible use policy. It has been 12 days, and still my request has gone unanswered after a series of more requests and ranting. Now I am told that this information will not be relased to me unless my company issues a subpoena for it. Is it me, or is this absolutely rediculous? If ISPs are supposed to assist each other in tracking down and stopping these attacks, and if sharing information about attacks is so important, why are we now playing secret squirrel with each other?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:05:21 PDT