6

In some of the posts I've read on this site such as Is hacking legal when a friend allows you to attempt to hack their system?, and Best way to test my home network from the outside, users who responded pointed out that testers should notify or request permission from their ISP to do testing. I have difficulty imagining such requests would go over very well with an ISP. It seems they have everything to lose (from a liability point of view), and little to nothing to gain, from approving your request to perform penetration testing over their network.

Has anybody successfully asked an ISP for permission to do security related testing over their network? How would one do so?

Community
  • 1
Joe M.
  • 439
  • 4
  • 10

2 Answers2

7

I have never asked for permission in advance (that I can recall), but I can say clients on many occasions have reported IP addresses under my control to be attacking them.

For example:

TOS Violation - Malicious Activity

We have received a report of malicious activity originating from an IP address assigned to (redacted). Please investigate this complaint and update this ticket within 24 hours to avoid a disruption in service.

Most often my clients simply neglected to check the list of authorized IP addresses I mentioned I may use during testing.

On every occasion, after answering a TOS violation, the ISP goes to verify with the target that the activity is authorized and all is good.

Note: Amazon now makes it easy to ask for permission in advance: http://aws.amazon.com/security/penetration-testing/ (I have heard others do as well now)

Community
  • 1
Tate Hansen
  • 13,804
  • 3
  • 42
  • 84
3

I used to always build in a contractual requirement that the client had to get ISP signoff before we would agree to any remote testing. Effectively this was a 'hold harmless' letter explaining that the tester (us) would be using techniques that could look exactly like a real attack. The key is that the client requests it, using our template

We did this with ISPs in the UK, US, Europe and Asia, but just to clarify, most these clients were generally multinational corporations with dedicated ISP relationship managers in each territory etc. For smaller, local clients in Scotland we did the same, but the ISPs were often local too, so your mileage may vary if you have a small client and a large ISP: the ISP may not care.

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
  • So is the advice to notify an ISP prior to pentesting only relevant when dealing with large multinationals? What if one was contracted by a small to medium business to test their security over the internet? Would a pen tester typically make any attempt to notify an ISP in this case or is it more important to get some kind of "hold harmless" from the business like you mentioned? And even so, how does a "hold harmless" from the business help you if the ISP decides they don't like what you're doing? – Joe M. Feb 03 '12 at 17:51
  • The hold harmless is from the ISP - the client informs them that we will be testing, and the ISP provides us with a letter agreeing that they will not hold us liable. In any case I would always get something from the ISP – Rory Alsop Feb 03 '12 at 18:02