[ Dear awesome folks from MELANI: Please present on this subject "being a good netizen" / "What&How to report to MELANI" at next SWINOG :) ]
On 2016-12-16 08:44, Benoit Panizzon wrote: [..]
But what can the hoster/registrar do next? Can he contact his government's CERT team or the authorities and hand them over the customer data, ip addresses used to upload the site etc. to try to get hold of the gang behind that fraud as quickly as possible? Or would that break the privacy laws and they have to wait to get a subpoena, which could take several weeks and give the gang enough time to clear all traces?
Awesome question, better to ask beforehand than after ;)
Below all with IMHO and IANAL or working for MELANI etc.....
Reporting to CERT/authorities (read for Switzerland _calling_ MELANI) that you have in you network such an instance is a the required thing to do if one is a a good netizen (and we all are on SwiNOG :) ).
Inform them that you have noticed suspicious XYZ and that you want them to look at it.
They'll likely ask for a variety of things, at which point authorities are asking you to release data about your network: - IP address(es) - hostnames / domaines - date stamps (UTC, NTP synced) - Netflow/IPFIX/sFlow logs
*Flow is a standard 'accounting' procedure, thus having it, is there to account but also to provide logging. Of course make sure there is a little blurb in whatever EULA that you can change every day.
At one point they'll ask for customer details, at which point, if they claim they are allowed to do so, you could.
Thus: informing of the event is great; I assume that directly sharing the IP/hostname is a standard detail nowadays (all the abuse trackers and other mitigation things do so) might even be considered 'legal'
Greets, Jeroen