> i've had absolutely no luck getting the source isp's to care about
> the problems i've seen at my home firewall in recent weeks.
hehe... I know the feeling. With DShield, we try hard to send out
correlated and filtered reports in a standardized format to valid
'contact' addresses. There are some success stories, but more misses
than hits overall.
I think these efforts would get a lot of attention if there were two
changes to the notification procedure:
1. The notice started by saying "This is a notice according to the
procedures of the ISP-ISAC which operates in coordination with the FBI's
NIPC(National Infrastructure Protection Center)". Of course before you can
put this notice in your email the industry would first have to create the
ISP-ISAC (see http://www.nipc.gov/infosharing/infosharing6.htm for background) and the ISAC would have to agree on some basic procedures
for notifying other ISPs when network abuse occurs. But this is not rocket
science and I think a half-dozen of the larger ISPs could kick this off
with some kind of a BOF at NANOG.
2. If the email notice doesn't get a response, follow it up with a letter
on paper to the company concerned and include another letter explaining
the benefits of being an active participant in the ISAC (Information
Sharing and Analysis Center). The paper letter could be addressed to the
legal department because this really is a compliance issue. In other words
the time could come when companies who do not comply with industry
standards for cooperation in addressing network abuse will find themselves
facing lawsuits. If you can get a company's legal department to agree that
participation in an ISAC is a good way to cover their ass, then you will
find it a lot easier to get inter-company cooperation.
The other ISACs can be of use too. Imagine that you have a DDOS in
progress and you can track it back to a number of compromised servers.
Some of them are colocated so the ISP-ISAC would directly notify the
hosting companies concerned. Some of them belong to companies who appear
to be in the financial services industry so you notify the FS-ISAC about
those ones. Some of the servers appear to be suffering from security holes
that are introduced by using default install options for the O/S so you
notify the IT-ISAC about those ones.
Before long the members of the FS-ISAC are requiring their business
partners to secure their Internet servers, the OS vendors are tightening
up baseline OS security and the hosting companies are securing or shutting
down compromised servers. The press reports on all of this activity and
managers in all types of businesses and organizations start asking
searching questions about the security of their own infrastructure. Or
maybe the FS-ISAC gets all bank managers to ask questions about security
as part of their regular business review meetings with customers.
All of this requires an ISAC dedicated to the purpose of analyzing and
stamping out network abuse.
--Michael Dillon