Re: Recent Attacks

[Transistor Sister <raven () kalypso cybercom net>]

On Wed, 16 Feb 2000, Barrett G. Lyon wrote:

> You need to figure out who is actually doing the attack and notify their
> providers with a clean description of what actually took place.  If the
> attack is too big to wait you get on the phone immediately and make it
> someone else's problem as well.  If it is real bad you can even involve
> your upstream provider(s) and have them put filters in place on their
end
> of the network.  [  Large providers hate doing this, yet if you
> bark enough they will listen. ]

What I am finding more and more is that ISPs are less and less willing to
disclose any information about their customers. For example, I work for a
medium-sized ISP. One of our machines was compromised about 2 weeks ago,
and this server was then used to SYN flood and smurf foreign hosts. I
traced this address back to a large ISP, who at first completely refused
to assist me, and after a hassle, referred me to their operations center
in Europe, who referred me back to their US operations center where I
started in the first place. My simple request was for the ISP who provided
the address to the attacker in the first place, as my goal was to notify
them that they had potentially been compromised and to inquire about this
ISP's acceptible use policy. It has been 12 days, and still my request has
gone unanswered after a series of more requests and ranting. Now I am told
that this information will not be relased to me unless my company issues a
subpoena for it.

Is it me, or is this absolutely rediculous? If ISPs are supposed to assist
each other in tracking down and stopping these attacks, and if sharing
information about attacks is so important, why are we now playing secret
squirrel with each other?