[Dshield] Re: How to ask someone's ISP to investigate

Bruce Lilly blilly at erols.com
Fri Jul 13 19:48:21 GMT 2001


In addition to all of the other advice, here's what I have
found to be effective (in case there's no fightback report
(e.g. if you're the only victim)):

1. Get a copy of the CERT incident report form
	http://www.cert.org/reporting/incident_form.txt

2. Fill it out. See http://www.cert.org/tech_tips/incident_reporting.html

3. Prepend a brief, factual note such as

"A unauthorized probe occurred here this evening.
Details are provided below using the (U.S./CMU) CERT Incident Reporting Form."

Of course, if you're reporting a DoS attack or actual break-in,
change the wording appropriately.

4. Put a clear indication of the issue in the Subject, e.g.

"[PROBE#CERT] Security incident report (probe of TCP port 123)"

(CERT likes to see [PROBE#CERT] for probe reports)

5. Find out who is responsible for the source IP address
   using whois or one of the web interfaces (e.g.
   http://www.arin.net/whois/index.html).

6. If the source of the attack is outside of the US, see if
   there is an appropriate IRT for that country. A good
   resource is http://www.auscert.org.au/Information/Contact/irt.html
   If there is one, go to its web site and find out where
   to submit incident reports.

7. Make sure that your logs are in the appropriate part
   of the CERT form, with a brief explanation of the log format,
   time stamp information (UTC or local, offset from UTC if local,
   whether mm-dd-yyyy or dd-mm-yyyy etc., whether or not your
   local clock is synchronized via NTP or another standard).
   Also, read http://www.first.org/docs/international_comms.html
   especially if your message will be going to another
   country.

8. Send the report to cert at cert.org, with cc's to the IRT
   for the source country (if applicable) and the contact
   listed by the Internet registry (from the whois data).

While this will usually get a response and resolution of the
problem (an ISP might try to slough you off if you only report
to them, but they're unlikely to do so when CERT has also
been notified), it's a fair amount of work.  I used to do this
regularly when I was getting a couple of probes per day, but
now it's impractical due to the increase in such activity, and
I would only use this method now in the event of repeated
probes over a period of time and where there's no Dshield
fightback issued (I now report probes daily via Dshield,
and I have fightback enabled).




More information about the list mailing list