1 More Day to Share AppSec Experience & Insights - Take Survey & Enter to Win $400 Amazon Gift Card

Intrusion Detection FAQ: What are some things that one can do to best elicit cooperation from ISPs in tracking an attacker?

ISPs, in general, can't give out account information about their users. Many are willing to warn the user and possibly disable the account. What they need from you is a trace of the log files that caused you to determine that one of their IP addresses was involved in the incident. Be certain to explicitly state the time zone the attacked system is located in. If your sensor or system that created the system logs is synched to a time server, be certain to provide that information as well.

Don't expect too much from an ISP. Remember, they are in business to provide Internet access, not police it. Respect their problems and issues, and try to work with them. If a particular ISP refuses to work with you even after you have provided evidence that repeated attacks are coming from their domain, try to talk to a manager or supervisor. As a last resort, you can always block all traffic to and from that ISP into your networks. However, be aware that this can easily backfire, causing you more problems than the original intrusion attempt itself.