[ Dear awesome folks from MELANI: Please present on this subject "being
a good netizen" / "What&How to report to MELANI" at next SWINOG :) ]
On 2016-12-16 08:44, Benoit Panizzon wrote:
> But what can the hoster/registrar do next? Can he contact his
> government's CERT team or the authorities and hand them over the
> customer data, ip addresses used to upload the site etc. to try to get
> hold of the gang behind that fraud as quickly as possible? Or would that
> break the privacy laws and they have to wait to get a subpoena, which
> could take several weeks and give the gang enough time to clear all
Awesome question, better to ask beforehand than after ;)
Below all with IMHO and IANAL or working for MELANI etc.....
Reporting to CERT/authorities (read for Switzerland _calling_ MELANI)
that you have in you network such an instance is a the required thing to
do if one is a a good netizen (and we all are on SwiNOG :) ).
Inform them that you have noticed suspicious XYZ and that you want them
to look at it.
They'll likely ask for a variety of things, at which point authorities
are asking you to release data about your network:
- IP address(es)
- hostnames / domaines
- date stamps (UTC, NTP synced)
- Netflow/IPFIX/sFlow logs
*Flow is a standard 'accounting' procedure, thus having it, is there to
account but also to provide logging. Of course make sure there is a
little blurb in whatever EULA that you can change every day.
At one point they'll ask for customer details, at which point, if they
claim they are allowed to do so, you could.
Thus: informing of the event is great; I assume that directly sharing
the IP/hostname is a standard detail nowadays (all the abuse trackers
and other mitigation things do so) might even be considered 'legal'
swinog mailing list