I work for a service provider, and we've suffered an attack. We've learned from it, but nonetheless it has cost us. The good thing is we have pcap traces of the event, and IP addresses.
Now my question is, how does one send a good abuse mail to the other provider?
The situation complicates, because there is money involved, and the other provider is a regular ISP serving private people, in another country. We'd love to see our money back, but has anyone ever succeeded at doing that?
Are you a technical person? if so then I'd strongly advise that you don't get directly involed in this - get a 'business' person to own this issue. Help them with supporting information as much as you like but don't mix technical detail and business-to-business financial/legal dealings, you have literally nothing to gain if it goes well and everything to lose if it doesn't. There's always going to be someone more appropriate in a business to handle this kind of thing than the guy who spotted or fixed it - get them to do this work, not you.
Of course if you're not the technical person and you are responsible for handling this kind of thing, well if you've come here to find out then I'd suggest you speak to your company's lawyers instead.
Good luck.
I wouldn't hold out much hope of ever getting your money back, and you could end up spending a lot of time and effort chasing it.
If you are in the US (or the attacher is) and you can prove that the damage was in excess of $50,000 then the FBI may investigate. If the locations are elsewhere then you may consider contacting your local law enforcement. But do bear in mind that in order to progress an investigation and prosecution, the first response by the law enforcement agency may be to impound your hardware as evidence.
Evidence from a compromised system must itself be considered as potentially compromised - which is a big problem with securing convictions.
Also its worth bearing in mind that even though you may know where the attacks came from - its very likely that the source was itself a compromised system - tracking back to the origin can be very difficult.
DEpending on the amount of money involved, I would recommend seeking confidential, professional advice on whether pursuing the attacker is likely to be of any benefit. If you decide that this is not worthwhile, I would recommend you forward the details to the ISP where the attacks appear to come from.
C.