On 20/12/2008, at 4:23 PM, Randy Bush wrote:
speaking as a small provider, I can tell you that I find running snort against my inbound traffic does reduce the cost of running an abuse desk. I do catch offenders before I get abuse@ complaints, sometimes.
unfortunately snort does not really scale to a larger provider. and, to the best of my poor knowledge, good open source tools to black-hole/redirect botted users are not generally available. universities have some that are good at campus and enterprise scale.
cymru and a few security researchers responded privately to my plea for solid open source tool sets and refs. knowing the folk involved, maybe we'll see some motion. patience is a virtue, within limits.
If you're talking about throughput, Tilera recently (April) demonstrated 10Gbit/s snort on their TILE64 processors. http://tilera.com/news_&_events/press_release_080429_snort.php Not sure if anyone has them in products at the moment though. -- Nathan Ward