[Dshield] Contacting ISP's to report hack attempts - any luck ?

Chuck Lewis clewis at iquest.net
Wed Jan 14 17:28:08 GMT 2004


<I find it very hard to measure the effect of our fightback program. I
probably should do a more details analysis just based on our data. But
as a quick update (and answer to you):

First of all, in order to be read at all, your reports has to meet
certain criteria: You have to include time stamps with time zone,
you have to include a log sample, you have to be brief and to the
point. Do not use attachments, do not "flame". Be nice...

Next, the response. The response, and what actually happened at the ISP
are not related. We do get replies from ISPs that the "investigate,
identified and shut down the offender", 5 seconds after the original
fightback left. I would like it if it would be that easy ;-). I know
from other ISPs that do not respond at all, but they do shut down
infected machines. They just don't think its a good use of their
time to respond.

The best indicator is to see if the attacks stopped. And this is
something I have to work on. How long do the attacks continue after
the ISP is notified, compared to not notifying the ISP. You can't just
look at the data for systems you notified, as they may be cleaned up
even without your notification being taken into account.>

Thanks Johannes,

Yep, I always try the "be nice" first approach and here is an example what I
would send them (and I'm not well versed in this stuff at all but I would
think this would be enough to go on ?):

01/13/04:22.07 ACTIVE SYSTEM ATTACK!
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jan 13 21:54:55 leeqube2 portsentry[1068]: attackalert: Connect from host:
dpvc-64-222-46-166.prov.east.verizon.net/64.222.46.166 to TCP port: 1080

Jan 13 21:54:55 leeqube2 portsentry[1068]: attackalert: Host 64.222.46.166
has been blocked via wrappers with string: "ALL: 64.222.46.166"

Jan 13 21:54:55 leeqube2 portsentry[1068]: attackalert: Host 64.222.46.166
has been blocked via dropped route using command: "/sbin/route add -host 
64.222.46.166 reject"

Jan 13 21:54:56 leeqube2 portsentry[1068]: attackalert: Connect from host:
dpvc-64-222-46-166.prov.east.verizon.net/64.222.46.166 to TCP port: 1080

Jan 13 21:54:56 leeqube2 portsentry[1068]: attackalert: Host: 64.222.46.166
is already blocked. Ignoring


So is this not enough ? 

As your note that they might fix them and not tell me. That yields a
quandary - I almost never see the same problem info whether I report them or
not (?). Maybe others report them ?

Thanks so much the info.

Chuck




More information about the list mailing list