i've had absolutely no luck getting the source isp's to care about the problems i've seen at my home firewall in recent weeks.
hehe... I know the feeling. With DShield, we try hard to send out correlated and filtered reports in a standardized format to valid 'contact' addresses. There are some success stories, but more misses than hits overall.
I think these efforts would get a lot of attention if there were two changes to the notification procedure: 1. The notice started by saying "This is a notice according to the procedures of the ISP-ISAC which operates in coordination with the FBI's NIPC(National Infrastructure Protection Center)". Of course before you can put this notice in your email the industry would first have to create the ISP-ISAC (see http://www.nipc.gov/infosharing/infosharing6.htm for background) and the ISAC would have to agree on some basic procedures for notifying other ISPs when network abuse occurs. But this is not rocket science and I think a half-dozen of the larger ISPs could kick this off with some kind of a BOF at NANOG. 2. If the email notice doesn't get a response, follow it up with a letter on paper to the company concerned and include another letter explaining the benefits of being an active participant in the ISAC (Information Sharing and Analysis Center). The paper letter could be addressed to the legal department because this really is a compliance issue. In other words the time could come when companies who do not comply with industry standards for cooperation in addressing network abuse will find themselves facing lawsuits. If you can get a company's legal department to agree that participation in an ISAC is a good way to cover their ass, then you will find it a lot easier to get inter-company cooperation. The other ISACs can be of use too. Imagine that you have a DDOS in progress and you can track it back to a number of compromised servers. Some of them are colocated so the ISP-ISAC would directly notify the hosting companies concerned. Some of them belong to companies who appear to be in the financial services industry so you notify the FS-ISAC about those ones. Some of the servers appear to be suffering from security holes that are introduced by using default install options for the O/S so you notify the IT-ISAC about those ones. Before long the members of the FS-ISAC are requiring their business partners to secure their Internet servers, the OS vendors are tightening up baseline OS security and the hosting companies are securing or shutting down compromised servers. The press reports on all of this activity and managers in all types of businesses and organizations start asking searching questions about the security of their own infrastructure. Or maybe the FS-ISAC gets all bank managers to ask questions about security as part of their regular business review meetings with customers. All of this requires an ISAC dedicated to the purpose of analyzing and stamping out network abuse. --Michael Dillon