Hi!
Could someone please point me to BCP documents or products that permit
an ISP to better interact with its peers/upstreams in case of DoS and
worm attacks that cross ISP network boundaries?
The approach I have seen so far involves a judicious combination of
abuse@isp emails and frantic phone calls to NOC contacts.
Thanks!
Rajesh.
Please see Clifford Stoll's book The Cuckoo's Egg for a description
of tracking an intruder across various PSTN, PSDN and Internet providers.
I haven't seen a better description of the process.
It's sad we've not gotten any better at it in the 15 years since then.
Please see Clifford Stoll's book The Cuckoo's Egg for a description
of tracking an intruder across various PSTN, PSDN and Internet providers.
I haven't seen a better description of the process.
And there were, what?, three US ISPs back then?
And when Stanford was getting hacked, where was BBN...
Answer: right on the Stanford campus, in Stanford buildings!
We don't have the same Internet architecture as we had
during The Cuckoo's Egg era.
-mark
Funny thing is there seem to be about the same number if internet security
folks working at the isp's now as at the time of the book's writing 
Most times our procedures fail back to:
1) do a whois on the domain name if the ISP in question
2) call the noc number listed
3) try to work your way around to a security-type person
4) end up emailing logs of the incident to noc@
5) wait and hope they respond quickly with something helpful
Depending on the carrier things can be good, or very bad.
I would love to become educated on today's process. Please share
how the inter-ISP security procedures have changed.
I would love to become educated on today's process. Please share
how the inter-ISP security procedures have changed.
Oh, I get it now. Your initial comment was a subtle dig at how the
inter-ISP security procedures haven't changed, despite the
considerable change in the complexity of the network, number of
organizations involved, etc.
However, I think it was too subtle... I didn't get it, and I think
chris@uu.net and Valdis.Kletnieks@vt.edu also didn't get it. I don't
think they would have posted messages saying the same thing as your
hidden meaning.
So, Sean, I think you need to be more blunt.
It's hard enough wading through spoof messages
without having to search for hidden sarcastic meaning
-mark
However, I think it was too subtle... I didn't get it, and I think
chris@uu.net and Valdis.Kletnieks@vt.edu also didn't get it. I don't
think they would have posted messages saying the same thing as your
hidden meaning.
Hmm.. and here I *thought* I got it... or did I?
OK, so there is my point. Back in those days the network security
folks would often find themselves in the same lunch line as the "ISP"
security folks. And they were available by phone with just a four
digit extension.
In the 1980's, finding the four digit extension, the exchange it was in, and
the area code to use could be *quite* interesting if you were *NOT*
one of the anointed people in the lunch line.
Cliff Stoll didn't have any easy time finding people in 1987. Further,
consider the two attached messages, which Dave Mills apparently posted because
he couldn't find phone numbers or email addresses for the culprits(*).
Then consider the weekly "can a security guy with a clue from XYZnet
please call me?" postings, and ask if we *have* learned anything....
/Valdis
(*) OK - I admit it. One of the offending boxes was one of mine - it
was a Gould PN/9808, and at 12MIPS it noticed a few packets/sec a lot less
than a Fuzzball did. That, and at the time I was busy moving to a new
job and not paying as close attention. It got fixed as soon as I saw the
postings...