On Wed, 3 Apr 2002, Avleen Vig wrote: :Have a look at SAFE (url in sig). :We detect smurf amplifiers and I'm currently looking at ways to export :data to companies regarding large smurf amplifiers (>x250 amplification) :who refuse to close after X number of warnings. Yeah, that uses a bit more of the anti-spam model than a network protection model. Aris takes IDS logs from subscriber sites, normalizes them and generates stats (among other things). After the data is normalized, they show emerging trends and anomalies. An example of this would be if an attacker started scanning across the Internet for ssh servers, this could trigger IDS's at multiple sites, which would increase the profile of attackers ip addr. What I was suggesting is that this data be cleaned and a list of actively hostile hosts be distributed to subscribers for temporary blockage, either by port filter, or blackholed by prefix on a reasonably real-time basis. -- batz