RE: Proper ISP Reporting

["Swen Wulf" <swulf () phonoscope com>]

Hi,

I don't agree with sending your email to all possible email addresses,
i.e. hostmaster, postmaster, helpdesk, info, noc, snoc and so on. The
reason is that you want help with a security incident, not with sales,
noc or postmaster. If you for example sent it to postmaster, it goes to
the guy who deals with mail problems, if you sent it to their helpdesk,
you might generate a ticket for their 1st level support, who in turn
forwards it to the abuse contact internally, who would get it from you
anyway....

The guy who deals with the abuse really likes to have a phone call from
sales, helpdesk and their noc to tell him what he really already knows.
So, if there is an abuse contact, use that one. If there is not, be my
guest and send your email to what you can come up with for email
addresses.

Most ISP have a abuse contact listed when you do a whois query. You can
do that on a website, like here: http://www.theworldsend.net/whois.php
and enter the offending IP address.

Looking up 4.1.1.1

Output:
[Querying whois.arin.net]
[whois.arin.net]

OrgName:    Level 3 Communications, Inc. 
OrgID:      LVLT
Address:    1025 Eldorado Blvd.
City:       Broomfield
StateProv:  CO
PostalCode: 80021
Country:    US

ReferralServer: rwhois://rwhois.level3.net:4321

NetRange:   4.0.0.0 - 4.255.255.255 
CIDR:       4.0.0.0/8 
NetName:    LVLT-ORG-4-8
NetHandle:  NET-4-0-0-0-1
Parent:     
NetType:    Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment:    
RegDate:    
Updated:    2004-06-04

OrgAbuseHandle: APL8-ARIN
OrgAbuseName:   Abuse POC LVLT 
OrgAbusePhone:  +1-877-453-8353
OrgAbuseEmail:  abuse () level3 com

OrgTechHandle: ARINC4-ARIN
OrgTechName:   ARIN Contact 
OrgTechPhone:  +1-800-436-8489
OrgTechEmail:  arin-contact () genuity com

OrgTechHandle: TPL1-ARIN
OrgTechName:   Tech POC LVLT 
OrgTechPhone:  +1-877-453-8353
OrgTechEmail:  ipaddressing () level3 com

# ARIN WHOIS database, last updated 2005-08-17 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


-----Original Message-----
From: McKinley, Jackson [mailto:Jackson.McKinley () team telstra com] 
Sent: Wednesday, August 17, 2005 6:26 PM
To: Jason Burton
Cc: incidents () securityfocus com
Subject: RE: Proper ISP Reporting


 + Contact Information for the Incident Reporter
- Name
- E-mail address 
- Phone number 
- Location (Time zone and country) 
+ Incident Details
- Date/time that the incident was discovered 
- Type of incident (e.g., denial of service, malicious code,
unauthorized access, inappropriate usage) 
- Date/time that the incident occurred (if known) 
- Current status of the incident (e.g., ongoing attack) 
- Source/cause of the incident (if known), including hostnames and IP
addresses 
- Description of the incident (e.g.what occurred) 
+ General Comments

 

Extra notes:
* Remember the person that looks at the email first will most likely be
a low level engineer 1st to 2nd level. Try not to be over technically
but make it clear a "Security person" should look at it.
* Use statements like "Assist with the resolution" and "Help us to solve
this issue"  Make it out that they can work with you to fix it no just
them do it.
* Leave as much info in the logs that you send as possible.  Some times
its easyer to track traffic from its distination rather then its source.
* NEVER EVER EVER EVER say you will do anything legal if they don't fix
it ASAP...  Matter of fact never use the work "legal" in any way.. The
moment you do that you start a new game, and then everything must be
looked at by legal before it goes anywhere.  Thus slowing the process
down a LOT! We all know how good at red tape legal are :P
* I always send to more then 1 address.. Abuse@isp, hostmaster@isp,
postmaster@isp, Helpdesk@isp, noc@isp, gnoc@isp, soc@isp. Are always
good places to start.
* Saying things like we have forward you details to the <Insert Agency
name here> will only have the same effect as point 3.  and they don't
need to know you have done this.
* You can try login it as a Fault with the ISP's helpdesk.  This will
mean they will have call back alarms and PKI's to think of... ;)
* Also expect things to take time.  Personally in the past when I have
worked on abuse reports for ISP's it has taken time to deal with them.
Its not like you can just switch of customer or machine XYZ.. You have
to gather info, look into it from your end, contact the customer, check
with the customers contract / AUE.  Then if the customer does nothing
you can do it.. But that can take some time.
* solve the issue with in your scope of control if you can.  Get you
Upstream to block it (if you have one ;) ) 

Cheers

Jack.

-----Original Message-----
From: Jason Burton [mailto:jab () leximedia net] 
Sent: Wednesday, 17 August 2005 12:02 PM
To: incidents () securityfocus com
Subject: Proper ISP Reporting

Anyone have samples of how to properly report to ISP's regarding abuse?
 
ie. What format the email should be in, sample phrases, or sentences
that might help. I've been doing this for a while and while some work,
some have not. Im wondering if anyone has examples.
 
Thanks
 
Jason Burton
Leximedia LLC
jab () leximedia net