NANOG 44 (Los Angeles): ISP Security BOF

Sean Donelan sean at
Sat Oct 4 20:31:47 UTC 2008

On Fri, 3 Oct 2008, Christopher Morrow wrote:
> relevant information in a useful format about abuse/use of their
> downstream networks. When I was at AS701 there were consistently folks
> who'd say this or that customer is obviously bad, why hadn't we
> disconnected them? When looking through abuse tickets for issues we
> could bring to management as ammo for disconnection often a majority
> of complaints related to the customer in question were not complete,
> didn't have enough information, didn't have ANY information in them.
> How can we, as a community get better at providing complete and useful
> information (ip, timestamp+timezone, act-that-caused-ire)
> How can we, as a community, get better at tying together the bits and
> pieces that are one issue? (atrivo/intercage/ukrtelecom/hostfresh)

Is it that time of the year again for our annual discussion?

There is a large crowd of motivated people, but often they don't seem
to know how to put together everything they've down into an actionable
package.  They get frustrated, and it usually declines into the ISP's
suck debate. Even security vendors selling things don't understand what
is needed to quickly process abuse complaints (e.g. many examples from
useless logs generated by IDS/personal firewalls).

Would some current (or former, since the lawyers get a bit antsy) abuse 
desk folks from ISPs like to talk about putting together a training 
session about how to build and present an effective network abuse case
to an ISP/LEA?

More information about the NANOG mailing list