On Fri, 3 Oct 2008, Christopher Morrow wrote:
relevant information in a useful format about abuse/use of their downstream networks. When I was at AS701 there were consistently folks who'd say this or that customer is obviously bad, why hadn't we disconnected them? When looking through abuse tickets for issues we could bring to management as ammo for disconnection often a majority of complaints related to the customer in question were not complete, didn't have enough information, didn't have ANY information in them.
How can we, as a community get better at providing complete and useful information (ip, timestamp+timezone, act-that-caused-ire) How can we, as a community, get better at tying together the bits and pieces that are one issue? (atrivo/intercage/ukrtelecom/hostfresh)
Is it that time of the year again for our annual discussion? There is a large crowd of motivated people, but often they don't seem to know how to put together everything they've down into an actionable package. They get frustrated, and it usually declines into the ISP's suck debate. Even security vendors selling things don't understand what is needed to quickly process abuse complaints (e.g. many examples from useless logs generated by IDS/personal firewalls). Would some current (or former, since the lawyers get a bit antsy) abuse desk folks from ISPs like to talk about putting together a training session about how to build and present an effective network abuse case to an ISP/LEA?