Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SQL Slammer Clean-up: Reporting Upstream SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SQL Slammer Clean-up: Reporting Upstream

By now you've sent off your abuse reports (http://isc.sans.edu/diary.html?storyid=9664) and have tracked the responses in your spreadsheet. I'd wager that so far you haven't got great results in that column yet. You've likely received bounces that the abuse contact doesn't exist, or that the mailbox is full. Others have given you nothing but silence. What next?

It's now time to go up a level. With a little bit of detective work, say a traceroute or a bit of DNS probing you can identify the organization that supplies the IP addresses belonging to the infected system. There is a nice guide on how to go about that here: http://www.rickconner.net/spamweb/tools-upstream.html  Add a new couple of columns to your tracking spreadsheet, identify the upstream provider, the contact, and when you send your report.

You will want to update your abuse report to take into consideration the needs of the up-stream contact. You have be even nicer, and provide the initial abuse report as well as your justification for escalating to the up-stream (e.g. Abuse contact does not exist, or mailbox full, no response after a week, etc.)

Why didn't we report to all levels of the up-stream contact in the initial report? My simple answer is crowd psychology. If you send out your report to many levels of abuse contacts, and copy SANS, and law-enforcement, I can gurantee you that nearly all of your recipients are going to ignore your report, thinking that it's someone else's problem to handle.

It's a process, it will take some time. Don't give up because you got an automated response.

-KL

Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!