The proper way is not to do it completely automatic. Ever!
If you really have some good heuristics that can sort out a real
"attack" from just a user typing the wrong address in some sort of
client, maybe you could produce a mail template or something that the
user could forward, preferrably after reading and understanding it...
Some side notes:
1. Any reporting to abuse departments must include *known correct*
timestamps, including the time zone used. For example "Time is MET-DST
countinously synchronized with NTP to stratum 3". Otherwise the report
is useless (at least provided the attack came from a dynamic address).
I've seen ISP's cancelling dial-up accounts (or claiming they did) from
a report with no time zone stated (and it was *not* the zone the ISP
probably guessed!) and without asking about the correctness of the time
stamps. That's a bit too responsive. I've seen plenty of firewalls with
a completely inaccurate local time (and date, and sometime year :^)
2. As often stated, many "attacks" can be spoofed.
3. When getting a dynamic address, some traffic aimed for the previous
user of that address is often recieved. That is not an attack :-)
4. Any (well, most) automatic reporting could be fooled and used against
you. If I know a bunch of targets using it, I could send lots of spoofed
attacks, creating a large number of bogus mails.
Many many other issues are involved. I forecast this thread to be huge
:-)
regards
Rasmus Andersson
WM-data Security http://www.wmdata.se/security
Löjtnantsgatan 25, Box 27307, 102 54 Stockholm
Tel: +46-(0)8-459 10 46, +46-(0)70-535 14 21
Fax: +46-(0)8-459 10 45
raane_at_wmdata.com PGP Id:70650262
Robert Graham wrote:
> Could abuse_at_isp people please send me e-mail:
> * what is the proper way a product like BlackICE Defender should assist the
> user in reporting such events?
> * what should I tell this user about why we haven't put such a simple
> feature into the product?
>
> Thanks,
> Robert Graham
> CTO/Network ICE
Received on Mar 02 2000
Intro
