But that's why we have human beings in the NOCs, no? As I'm mucking about with the Cisco Netranger/IDS on one of my networks, I've been able to winnow down the false-positives substantially, and am still working on improving its reliability further. I certainly don't think that intrusion-detection makes sense for the backbones and NAPs and so forth, but when you get closer to the traffic-orginator/requestor boundaries of the network, it becomes more feasible, does it not? -----Original Message----- From: John Kristoff [mailto:jtk@depaul.edu] Sent: Friday, July 07, 2000 1:59 PM To: nanog@merit.edu Subject: Re: RBL-type BGP service for known rogue networks? rdobbins@netmore.net wrote:
Isn't that why some sort of intrusion/exploit-detection system integrated with ACLs would perhaps be a better remedy?
Dealing with false positives and "intentional" black holing would be a difficult thing to get right. It sounds like the MAPS approach someone mentioned earlier would be workable. John