Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote:
Sorry for not including nanog in the reply. What about MAPS? They routinely scan netblocks without consent. Does this tool differenciate between local and non-local scanning? Scanning is
The tool in question may not even exist yet. There is no preset definition of how it has to work. Perhaps it can be evolved enough to where it only triggers when an exploit is attempted, rather than just on a TCP connection.
still not a crime and it will still do nothing to deter anyone with hostile intentions. This is just a bandaid to avoid taking proper security precautions.
I can take all the proper security precautions and it doesn't stop third party network A from being exploited and later used to attack me. The point of this is that it will help identify a specific host which is scanning many blocks belonging to many different networks. If they hit several landmines in my network, I might be concerned. If they hit landmines in my network and 6 others to which I have no affiliation, the net as a whole might want to know about it. I don't think anyone said this was intended to take the place of security on their own networks. But I don't see how that aspect makes this a bad tool on its own either way. -c
On Wed, 15 May 2002, Clayton Fiske wrote:
On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote:
Sorry for not including nanog in the reply. What about MAPS? They routinely scan netblocks without consent. Does this tool differenciate between local and non-local scanning? Scanning is
The tool in question may not even exist yet. There is no preset definition of how it has to work. Perhaps it can be evolved enough to where it only triggers when an exploit is attempted, rather than just on a TCP connection.
Granted. However, if it's not yet in existance, these are good questions to be asked now instead of later, no? I would feel much better about it if it was triggered by an exploit, instead of a connection.
still not a crime and it will still do nothing to deter anyone with hostile intentions. This is just a bandaid to avoid taking proper security precautions.
I can take all the proper security precautions and it doesn't stop third party network A from being exploited and later used to attack me. The point of this is that it will help identify a specific host which is scanning many blocks belonging to many different networks. If they hit several landmines in my network, I might be concerned. If they hit landmines in my network and 6 others to which I have no affiliation, the net as a whole might want to know about it.
Granted. However, the suggestion to place said host/network into some sort of BGP black hole, has it's problems. The community has a whole already has an idea of which networks have an greater precentage of attacks originating from it, an alert is fine, a pre-emptive strike in the absence of an actual attack is not.
I don't think anyone said this was intended to take the place of security on their own networks. But I don't see how that aspect makes this a bad tool on its own either way.
Yes, that was perhaps an implication made on my part. However, there are still concerns with the idea that have yet to be addressed. PJ -- Art is a lie which makes us realize the truth. -- Picasso
On Wed, May 15, 2002 at 06:25:15PM -0700, PJ wrote:
Granted. However, the suggestion to place said host/network into some sort of BGP black hole, has it's problems. The community has a whole
Keep in mind that this would be a subscription service. It's not as though the route would be announced to the entire net. If you're not comfortable with it, don't use it on your network (or change upstreams, if they're using it).
already has an idea of which networks have an greater precentage of attacks originating from it, an alert is fine, a pre-emptive strike in the absence of an actual attack is not.
It's not permanent. There clearly would need to be some means of human intervention by which an entry can be removed. At worst, a compromised host is blackholed which will get someone's attention. At best, it is prevented from contributing to attacks. -c
CF> Date: Wed, 15 May 2002 18:13:07 -0700 CF> From: Clayton Fiske CF> There is no preset definition of how it has to work. Perhaps CF> it can be evolved enough to where it only triggers when an CF> exploit is attempted, rather than just on a TCP connection. Sounds sorta like the SMTP *BL debate with a new spin. Data exist; how one uses them is a matter of preference. IMHO, landmines would be a very handy way to get a "big picture" view. What threshold triggers what activity is up to the user. I could quickly write a script to find origin ASN of anyone who pings <machine x>, find all prefixes with that origin ASN, and blackhole them. And it would be a pretty stupid manuever, so I hopefully would know better. I don't see how landmines are any different... one needn't use the feed in a predetermined manner. I think there are more than a few people who can bang out code, or who know those who can, hanging out on here. -- Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
participants (3)
-
Clayton Fiske -
E.B. Dreger -
PJ