Here's what I'm implementing in order to a) dynamically disallow hosts/nets which are causing me problems, and b) ensure that -my- customers aren't causing problems for anyone else: http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/ http://www.cisco.com/univercd/cc/td/doc/pcat/nerg.htm There are similar commercial products like the Network Flight Recorder from www.nfr.net as well as Snort - www.snort.org - which is a freeware product. The things I like about the Cisco solution are its tight integration with their routers and its scalability. I can set up this system so that upon detection of an inbound or outbound attack (tuning it to avoid false positives is key), it automagically - or with the click of a mouse for purposes of manual oversight - rewrites the ACLs on designated routers so as to disallow the offending traffic. It's a scalable solution, so I can deploy as many sensor boxes as are necessary, and implement a hierarchy of 'director' machines to run them all. I can dump all the logging into Oracle, with the forensic benefits that implies. This rewriting of ACLs on the fly is called "shunning" in Cisco terminology, and it can be done on a per-host or per-network basis, as one would expect. In fact, Cisco routers may be used as 'sensors' themselves, at the cost of a bit of CPU overhead. I haven't experimented with using a router in this way, yet, but plan on doing so in the near future. If it doesn't impact performance too much to do so, I could probably avoid having to set up SPAN ports for use by the dedicated 'sensor' boxes, as well as the host ports required for 'sensor'-to-'director' communications. Since the core of my network is MPLS running on Catalysts with NFFC II cards, the processing overhead for running extensive ACLs is pretty low. Whilst I'm nowhere near the size of a Verio or an Exodus, I should think that a system such as this, coupled tightly with the routing/switching infrastructure, could go a long way towards freezing out the hax0rs and script-kiddies as we all wait to enter the IPv6 Promised Land. And it also avoids the pitfalls involved in tinkering with the functionality of BGP, etc. Is anyone else out there using an intrusion detection system in this manner? Any suggestions or comments would be greatly appreciated. -- ----------------------------------------------------------- Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice