Howard C. Berkowitz wrote:
I'm developing some guidance for ISP surveillance for infrastructure attacks, and my increasing impression is that for other than the expert level, there may be some useful simplifications of the applicability of tools. Remember that I am speaking of surveillance here, not the detailed analysis in a sinkhole. Perhaps this could be the basis of some security architecture presentations/tutorials at NANOG.
Have a look at these two presentations, the first covers most of the items you listed, the second one, while more enterprise-oriented also applies to large SP management networks. "Building an Early Warning System in a Service Provider Network" http://www.securite.org/presentations/secip/BHEU2004-NF-SP-EWS-v11.ppt http://www.securite.org/presentations/secip/BHEU2004-NF-SP-EWS-v11.zip (PDF) "Network flows and Security" http://www.securite.org/presentations/secip/BHEU2005-NetflowSecurity-NF-v101... http://www.securite.org/presentations/secip/BHEU2005-NetflowSecurity-NF-v101... Nico. -- Nicolas FISCHBACH (nico@securite.org) <http://www.securite.org/nico/> Senior Manager - IP Engineering/Security - COLT Telecom Securite.Org Team - http://www.securite.org/