I'm tracking down an individual that has attacked both my personal site, as
well as one of my customers' sites. In this particular attempt, when his
'normal' site was blocked by IP address, he immediately started to use
dial-up sites all over his local area, then ranged further into the US.
On my system, he had installed a password sniffer. I suspect that this was
a common mode of operation for him.
Naturally, I logged all of the attempts at the router level. I emailed the
logs to the origin ISPs, and (with one notable exception) was met with huge
indifference. In the queries, I am asking only for a confirm/deny of the
user's name - I am not asking the ISP's involved to release the name of the
dialup users. That, of course, will come later. Right now, I'm just trying
to confirm that the same individual is launching the attacks.
A police report has been filed, and a restraining order will be served
tommorow.
What's a better way to ask for, and obtain log information in a timely
fashion? Wait 6 months for a court trial, when everyone has purged their
logs?
The sad thing is, until you have a court order, the other ISP isn't
necessairly obligated to help you. There is no law stating that they
have to turn logs over to you. It's usually up to the other admins, but
every time I've had this problem, we've gotten really good responses from
the offenders provider.
I don't know who you spoke with, but you might try going to an owner if
you only spoke to an admin. Owners tend to take attacks coming from their
sites a lot more seriously than admins do, and would probably be a much
better point of contact. I'm sure given the fact that your business is
severely effected by these attacks and that it would be greatly
appreciated if he'd/they'd help you out before the story broke the news
(what hurts a business more than bad publicity?) and you'd really like him
to cooperate fully. After niceness hasn't worked, you could always
threaten with a civil suit of some kind...
Just remember to be nice before you start playing hardball.
Regards,
Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services
"Learn more, and you will never starve." - Paraphrase of Lee
The appropriate behavior, methinks, is to trap the requested
information (if it all seems like a reasonable request), file it for
yourself, and to inform the other side that you will turn it over when
summoned by a court (or whatever makes you comfortable.)
That's what the telcos do with phone numbers such as someone making a
harassing call to you right this moment (eg, you call them on another
phone), I think the term is "wire record", they trap the info and file
it appropriately and await a proper (legal) request. It seems
reasonable.