On Sun, 22 Dec 2002, Sean Donelan wrote: :On any major backbone the IDS function becomes : :GlobalIDSFunction() { : While (1) { : printf("Attack Detected!"); : } :} : :Do you really want an automatic wiretap installed on your line :every time an attack is detected? Have you recently connected a :system to the Internet that hasn't been attacked? It depends on the attack you are looking for. All signatures are not created equal. Also, the actual logic is a little more like: For each attack_source_ip, if all attacks in attack_source are the same, send low alert. If attacks from any single attack_source are different, with a range of more than 2 distinct attacks, look into it. attack_source can be anything from a /32 to a /24, with monthly reports breaking it down into the diversity of attacks originating from certain ASN's so that followup can be done with the ISP. The idea being that you only respond to incidents where followup may yeild meaningful results. Those incidents can be recognized by the diversity of attacks originating from a single area and followed up based on their ISP. The diversity of attacks will provide compelling evidence that there is someone making a concerted effort to crack a network, instead of just worm activity. You will miss script kids that bounce all over their compromised machines around the world, but even if you collected all the information about those attacks, there is little value in tracking them down anyway. The interjurisdictional administrative hell makes it more cost effective to just lock down your network than to re-enact The Cuckoos Egg. Back to the law enforcement access issue, they could really just be collecting intelligence from the sensors, to inform their decision on who to follow up with an investigation on. IDS's aren't as useful for giving evidence (IMHO) because there are too many variables (like asymmetry, log integrity, chain of evidence etc) to take into account. What they can do very well is tell you where suspicious activity is originating from and tell you whether further analysis is warranted. eg, whether to have someone sieze the machine as physical evidence, as that's where it's all got to come from for prosecution anyway, or to monitor that sites traffic for more information before launching a full seizure. So, the value of an IDS, or law enforcement access to IDS-like devices for sifting information, is to assess who they should be investigating, not to be used as an investigative tool by itself. As for how they can do it, they can't put it in a core somewhere. They would have to put inexpensive ones connected as close to the customer equipment as possible. This could be at the edge of a CUG as some people call it, or as Chris Morrow mentioned, one in each POP. As far as doing it at an exchange point, it is still possible to redirect all traffic originating from within a large ISP and destined to a single site through a secondary GigE monitoring network. I would be suprised if anyone currently sustains 500Mb/s of traffic from one of customers to any single IP address that is outside their own network. It doesn't matter if I am wrong, as for the purposes of monitoring for further information, it still works. Adding them to POP's would make sense as there is a geographical basis for their distribution, something law enforcement likes and understands quite well, as that's how their jurisdictions are laid out. The reason I am persuing this is that I would hate for people to waste their energy insisting that ubiquitous intelligence and law enforcement access to Internet traffic is impossible. It can be made very possible, just not in the way, or for the same reasons, some people might imagine it. -- batz