The ISPs need to put a system in place where they can work together to quickly trace and isolate the source of any attack. Perhaps the vendors need to develop some mechanisms to facilitate this.
A good deal of this technology is in place already, but Based on my experience, most ISPs just aren't using it or aren't acting on the data. I don't know if it's because of the administrative cost of managing a secure network, the tight market for talented personnel, or what, but it's really annoying when I go to the trouble of reporting security incidents and nothing happens. This week's logs on my very small network show: 10 events of a user on best.net trying to connect to my RPC port: UTC 02/11/2000 02:45:20.784 TCP connection dropped Source:209.24.82.10, 3714, WAN Destination:209.31.7.40, 111, LAN Best.net's security people said "that box was compromised, block access to the IP address while it's fixed." Huh? How come best.net is letting their users send this crap out? If I can filter in-bound, they can filter out-bound while they fix the system. 5 events of a user at a Korean site running nmap or some other scanner against TCP port 1 on each of my public addresses: UTC 02/13/2000 06:22:26.576 TCP connection dropped Source:211.45.145.2, 3272, WAN Destination:209.31.7.41, 1, LAN The Korean ISP didn't respond. Two weeks ago I got: UTC 02/05/2000 07:32:05.944 Sub Seven Attack Dropped Source:209.245.74.63, 1242, WAN Destination:209.31.7.41, 1243, LAN Level3.net still hasn't responded to that. Ad nauseum. Every week I get probed, hacked on, ping-o-death'd and more, while every week I send copies of the log to the source' security@isp. 30% of the time security@ is an invalid mailbox that bounces (which is why I also cc: abuse@isp), 60% of the time the message is ignored or not responded to, and only 10% of the time do I get a response that some form of action might be taken if they can figure out which user had the IP address at that moment. So, based on my experience, the ISP community isn't taking advantage of the tools they have to do their own enforcement. It would seem to me that the first step in saying "we can take care of this ourselves" is to prove that you're credible. If I were asked, I'd say that the quality of self-policing to date has been quite miserable. -- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com