[Dshield] Contacting ISP's to report hack attempts - any luck ?
Johannes B. Ullrich
jullrich at sans.org
Wed Jan 14 15:10:26 GMT 2004
> I report this to everyone that I can figure out how to (and this should NOT
> be so hard but I swear some of them don't want to hear from you) and I never
> hear anything back. Well, that's not quite true. I reported it via email to
> one and got an auto response that my incident had been logged and gave me an
> incident #. Then a little while latter I get another email saying you cannot
> submit an incident that way. REAL impressive !
I find it very hard to measure the effect of our fightback program. I
probably should do a more details analysis just based on our data. But
as a quick update (and answer to you):
First of all, in order to be read at all, your reports has to meet
certain criteria: You have to include time stamps with time zone,
you have to include a log sample, you have to be brief and to the
point. Do not use attachments, do not "flame". Be nice...
Next, the response. The response, and what actually happened at the ISP
are not related. We do get replies from ISPs that the "investigate,
identified and shut down the offender", 5 seconds after the original
fightback left. I would like it if it would be that easy ;-). I know
from other ISPs that do not respond at all, but they do shut down
infected machines. They just don't think its a good use of their
time to respond.
The best indicator is to see if the attacks stopped. And this is
something I have to work on. How long do the attacks continue after
the ISP is notified, compared to not notifying the ISP. You can't just
look at the data for systems you notified, as they may be cleaned up
even without your notification being taken into account.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040114/79528f28/attachment.bin
More information about the list