[Dshield] Re: How to ask someone's ISP to investigate
blilly at erols.com
Fri Jul 13 19:48:21 GMT 2001
In addition to all of the other advice, here's what I have
found to be effective (in case there's no fightback report
(e.g. if you're the only victim)):
1. Get a copy of the CERT incident report form
2. Fill it out. See http://www.cert.org/tech_tips/incident_reporting.html
3. Prepend a brief, factual note such as
"A unauthorized probe occurred here this evening.
Details are provided below using the (U.S./CMU) CERT Incident Reporting Form."
Of course, if you're reporting a DoS attack or actual break-in,
change the wording appropriately.
4. Put a clear indication of the issue in the Subject, e.g.
"[PROBE#CERT] Security incident report (probe of TCP port 123)"
(CERT likes to see [PROBE#CERT] for probe reports)
5. Find out who is responsible for the source IP address
using whois or one of the web interfaces (e.g.
6. If the source of the attack is outside of the US, see if
there is an appropriate IRT for that country. A good
resource is http://www.auscert.org.au/Information/Contact/irt.html
If there is one, go to its web site and find out where
to submit incident reports.
7. Make sure that your logs are in the appropriate part
of the CERT form, with a brief explanation of the log format,
time stamp information (UTC or local, offset from UTC if local,
whether mm-dd-yyyy or dd-mm-yyyy etc., whether or not your
local clock is synchronized via NTP or another standard).
Also, read http://www.first.org/docs/international_comms.html
especially if your message will be going to another
8. Send the report to cert at cert.org, with cc's to the IRT
for the source country (if applicable) and the contact
listed by the Internet registry (from the whois data).
While this will usually get a response and resolution of the
problem (an ISP might try to slough you off if you only report
to them, but they're unlikely to do so when CERT has also
been notified), it's a fair amount of work. I used to do this
regularly when I was getting a couple of probes per day, but
now it's impractical due to the increase in such activity, and
I would only use this method now in the event of repeated
probes over a period of time and where there's no Dshield
fightback issued (I now report probes daily via Dshield,
and I have fightback enabled).
More information about the list