On Sun, 2 Nov 2003, Paul Vixie wrote:
so listen up. just because many of the infected hosts won't be disinfected, don't assume that there's no value in tracking and reporting them, or that there's no reason to spend money listening to and acting on complains about them. the internet's immune system needs *more* resources, not fewer.
I've had an idea kicking around my head since Paul posted this. Most of the reporting work seems to be centered around finding who to report problems to. I think we need to turn the problem around: Devise a system that assumes owners of IP space WANT to know about problems. In simple terms, a system that would let me issue a command such as report --open-proxy 192.168.1.1 (or even report --open-proxy 192.168.1.1 <logfiles ) and have a report sent to whoever needed to know about it. To participate in this, I would have to run a problem-report server that accepts reports on my IP space. It would be registered with some central server, that refers problems to the proper server for that IP address, like DNS. This might be a NOC to NOC tool, or perhaps useing registered PGP signatures, reports from other NOCs could have more weight then those from end users. In any case, the idea is to allow automated testing based on reports, aggragation of reports to weed out mistakes and errors, and provide a mechanisim for various firewalls, intusion detection systems, etc to talk to each other to solve problems as quickly as possible. So in the above example, if I receive the report for 192.168.1.1 being an open proxy, I might have my system configured, because that is a residential DSL IP, to automaticly do a full port scan on it to look for open proxies, and if I confirm that it is open shut the line down, or just kick out a ticket for someone to call the customer. Or, start a netflow analysis on it to look for virus/worm traffic. Or not do anything until a certain number of reports are received, weighted based on the ranking of PGP sigs. Paul's use of the word immune system hit it on the head. An immune system kicks in automaticly to fight infection, and right now there isn't one on the net. ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/