Patrick Greenwell wrote:
I think it is an intersting idea, however I believe it somewhat misses the point. While a "clearinghouse" is indeed a potentially useful entity, my suggestion centers more around actually getting NOCs to talk to each other and come up with a common approach to event handling.
My thinking is that its not just ISP's that have problems with reaching the proper security contact at another ISP, but end user networks as well. A central point of contact could help facilitate both sets of communications. My experience has been that its usually pretty rare for an organization to contact their local ISP when a security problem occurs. Typically its the ISP at the other end of the connection that gets contacted because they are in the best position to do something about the attack. Of course you can't easily ID the source with many attack patterns, thus the need to come up with some kind of a formal handling procedure. My gut is that this would be easier to facilitate through a central point of contact rather than dealing with a distributed model where everyone needs some method of staying in sync.
My 100,000 foot view tells me the problem is not security, it is a lack of communication between providers. Enable that, then a reasonable stab can be made at semi-cohesive security alert notification.
Kind of funny that the largest communication infrastructure has actually caused its on set of communication problems. ;) I agree the problem is not security per se, but in addition to communication its also a data resource problem. Unless you are logging everything that coming out of your network, its difficult to keep track of who is doing what. Thus the "clearing house" idea as a central point of data collection. I know that as part of GIAC we've been successful in helping to pin down a number of purps as well as compromised systems just by being able to correlate data from multiple targets. This makes it much easier to see patterns. Its also a good way to get the scoop on what's going down both positive and negative. For example I've seen a number of domains mistake the 3DNS probes for attacks and kill all connectivity with the source network. By keeping the community at large in the loop as to what was really going on, we where able to clarify some misconceptions.
Absolutely correct. The infrastructure is beginning to generate far too much revenue to be ignored anymore.
Agreed, although based on the lack of interest in my original post I don't see it getting addressed in short order. Thanks! Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet