Have you ever caught anyone hacking your systems? Did you notify the offender's ISP? If so, I hope the ISP acted expediently to stop the intruder—in some cases, ISPs don't. Some ISPs prioritize money and customer relations before Internet security. I know from experience.
About a month ago, one of my systems alerted me that an intruder was repeatedly conducting suspicious probes and making various connection attempts to the system's Web services. After quick analysis, I decided that the Nimda worm had infected the intruder's system. Because Nimda attacks many systems in rapid succession, I immediately sent an email about the situation to the intruder's ISP, which promptly responded that it would take care of the problem. When the attacks didn't stop immediately, I assumed that the ISP was working to identify the intruder and would soon help the user remove the worm or would simply take down the link until the user fixed the systems.
I waited patiently—for almost 24 hours—but the attacks continued. I again contacted the ISP support representative by email and asked him to immediately stop his customer's systems from attacking my network. He responded quickly, saying that the ISP was working on the problem. Apparently, he had tried to contact the customer, but because it was the weekend, he couldn't get through. He had left a voicemail for the customer to contact him as soon as possible. Again, I waited patiently for another 24 hours for the attacks to stop.
On Monday, the attacks hadn't stopped, so I called the ISP support group to express my concern. After re-explaining the situation, including the fact that the attacks had been going on for 48 hours, the representative told me that the company still couldn't contact the customer. I asked, "Why don't you just take down the link? That should get a quick response." I was shocked when he said, "Well, they're a paying customer, and we can't just unplug their link like that."
I was dumfounded. I asked the representative if he realized that the customer's system was spreading a dangerous worm to hundreds, if not thousands, of systems per hour, and he said that he was aware of the situation. I suggested that it was the ISP's moral duty to help protect the Internet, and once more I suggested that he immediately take down the customer's link. He again said he couldn't do that because the ISP was obligated to provide services for payment. That's when push came to shove.
I politely asked the representative to put a manager on the phone, but he was hesitant to do so, insisting that the company would correct the matter soon. Well, 48 hours had already passed, so "soon" to them must have meant, "as soon as we can without irritating the customer and risking losing revenue." I was appalled. I asked whether he'd prefer that I contact law enforcement, and of course, he said no and again asked me to give them some more time. Well, I'd already given them 2 days—how much time did they want?
It was then that I decided to tell him that I work for Windows 2000 Magazine as a news reporter and that he was giving me a fabulous story where I could place his company in the spotlight for all the wrong reasons. "Just a minute!" the representative said as he placed me on hold. Soon an apologetic manager came on the line and said that he was taking the link down as we spoke. I checked my monitoring software to see whether the attacks would stop, and sure enough, they did.
Why did I have to respond this way to get the ISP to cooperate in protecting my network and the Internet in general? I decided that some ISPs place profits above security. Such unwise decisions move us all closer to enforced licensing to ensure that Internet users and ISPs use their tools without causing harm—not unlike the requirement for testing drivers before issuing licenses.
In a more recent incident, I found another user who was running a Trojan horse to attack my systems. I immediately contacted the Colorado-based ISP about the matter. The ISP support group asked me to provide details about the apparent intruder, which I did, and within 30 minutes the attacks stopped. The ISP representative contacted me to say that the company was helping the customer remedy the situation—an admirable, prompt response, don't you think?
If you operate any type of network provider service (whether it's an ISP, private business, or personal network), think carefully about your moral obligations to adopt policies that place security first and profits second.