Security Probe Report (was Re: [Dshield] How to ask someone's ISP to investigate)

David Kennedy CISSP david.kennedy at acm.org
Thu Jul 12 21:35:58 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----

At 01:50 PM 7/12/01 -0500, Ray Seals wrote:
>Does anyone have a form e-mail that they could share with the rest
>of us, which is used to file a complaint with an offending ISP, etc?
> I've read the Contacting Host Owners paper on incidents.org but it
>doesn't really cover what the complaint should look like.

<probe report template>

One of my systems received a probe **** that appeared to
come from a system on a network for which you have responsibility. 
This may be an acceptable use policy/terms of service violation you
may choose to inquire and act as you see fit.  I do not expect a
reply.

This is my log entry:

Date: 2000-03-24
Time: 06:33:39 (UTC)
Attack Type: ****
Victim IP: aaa.bbb.ccc.ddd
Intruder IP: www.xxx.yyy.zzz
Intruder Name: foo-981.example.com

(replace **** and IP wild cards as appropriate)

</probe report template>

In my experience these reports either get dev/null'd or generate an
automated response.  Rarely do they stimulate human consciousness. 
While I have enough time to send in a report now and then, I don't
have the time to provide free advice to some luzer who's leaned on
the return key on a new Red Hat 5.2 CD.  Thus, the "don't expect a
reply," line; plus it saves me any frustration of expecting the other
end of my report to (1) have clue, (2) care, (3) have time, and (4)
have the will to do anything about my report.  I don't expect 1-4;
ISP's are in the business of carrying traffic, not the business of
blocking it.  There's little incentive for them to respond to
complaints.  Expecting or demanding action is just asking for
frustration.  The information above is enough for a clueful ISP to
launch their own inquiry and providing more, like a tcpdump just
isn't necessary.  

This is why I believe DShield et al are providing a tremendous
service to the 'Net's community.  UUNet is not terribly likely to
care about me knocking on their abuse or security e-mail about one of
their users.  When Johannes can knock on their door with 2,500
reports, they're more likely to pay attention.


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: When was the last time you backed-up your hard drive?

iQCVAwUBO04YPPGfiIQsciJtAQEe+AQAxmlAmBsQymeHMVAKAOw/Z2VevgpLuon7
y6IeE0U8NX0HBv69o+9qxkCRNfxTdtz5ajYePoebViZRqr5qKpF/ntte9d0E+zYe
gz77Q55hnwuFYWFNyC3XEYmP9kd3QxXkwrM3xXHTrmpPcIKE4vhY9ASXn5gsdZbz
r7prKYRRjFE=
=MUd0
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.




More information about the list mailing list