adviCe on network security report

Dave Rand dlr at bungi.com
Thu Nov 2 22:09:08 UTC 2006


[In the message entitled "Re: adviCe on network security report" on Nov  2, 16:39, Sean Donelan writes:]
> 
> On Thu, 2 Nov 2006, Dave Rand wrote:
> > I did a study on this a few years ago.  I sent out about 20,000 abuse reports,
> > all by hand, to various network around the world.  They all came from this
> > email address, and were clearly identified as non-robotic, personal messages.
> > There were "many" bounces.
> >
> > Less that 5% received any response.
> >
> > Less than 1% received any action within 30 days.
> 
> An excellent example of not listening to ISP abuse and security folks, and
> what kind of results you get by not working with them.

As mentioned, this was done a few years ago (2000, if I recall correctly).
The idea was to find out what was required, and to deliver a customizable
approach. 

> I know every ISP is different. Some won't respond to anything. Others will 
> do everything possible to figure out your complaint. But listening to the 
> ones in the middle, and figuring out how to work with them will probably 
> help improve things above 1%.
> 
> Because they take so much abuse as part of their normal job, even the 
> most motivated abuse people don't go out of their way to have more 
> people shout "You Suck" at them.  On the other hand, I suspect if they 
> believe you can make their jobs easier and not shout at them, they can be
> very gregarious about what they need.

Over the last few years, I have worked with many ISPs.  The majority of the
problems had little to do with the format/style/volume of abuse complaints,
and a lot to do with empowering the abuse desks to take action.  "you
suck" was not an enabling message :-)

And yes, this has made a significant change in how much abuse comes from those
ISPs, so working with the ISPs does pay off.  Often it is essential to gain
upper management's attention, however, so that the abuse desks can be
empowered to take action.

But the security industry is still just beginning to understand the problems
that are faced by an ISP that suddenly gets 40,000 boxes 0wned.  Delivering
tools that help them deal with these types of problems should be our focus.
Bridging the gap is what is required - it isn't the ISP's fault that the
box got owned, but the abuse that comes from that IP address is their
responsibility to mitigate as best as reasonably possible.


-- 



More information about the NANOG mailing list