Re: The Internet's Immune System
It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor arrays. The IDS community never seems to have wrapped its collective head around routing information. Looking up single IP addrs is just cosmetic. A real service would allow for concerned sites to check their entire address allocations. The solution we have takes a massive amount of data munging of a routing table and is still experimental, but until attacks can be mapped to meaningful Internet topographical information, the real value of these distributed IDS efforts cannot be fully exploited. I can forsee the argument that people shouldn't be able to look up other sites which might be compromised, but if they are really so concerned, they should get their sites patched. -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
"Bryan Bradsby" <Bryan.Bradsby@capnet.state.tx.us> 11/12/03 04:25pm >>>
Devise a system that assumes owners of IP space WANT to know about problems. report --open-proxy 192.168.1.1 <logfiles and have a report sent to whoever needed to know about it.
http://www.Incidents.org http://www.Dshield.org/howto.php http://www.MyNetWatchman.com -bryan bradsby
here's what i learned about a white-hat registry. nobody cares. this is perceived as an assymetric benefit, where the costs (even if there's no money, there's still effort in registering initial and new address space or AS#'s or whatever) are borne by the network owner and the benefits are felt by victims of various forms of abuse (spam, ddos, virus, whatever.) now, anyone who thinks this through will realize that the benefit is NOT assymetric. this is a tide (storm) that can lift (destroy) all boats. a network owner who deals swiftly with abuse becomes an anathema for abusers and thus has lower overall abuse costs. and a network of network-owners who all behaved that way would make abuse rare enough to be worth tracking again. however, from a marketing/perception standpoint, the benefit appears to be assymetric, and in this economy, network owners don't feel generous. so the first task isn't upgrading incidents.org or mail-abuse.org to handle white-hat network owner registration, but rather, convincing network owners that it's in their own selfish best interests to receive rapid and reliable complaints when abuse comes from/through their customer. and frankly, if that were possible, the abuse@${MOST_ISPS} would not be a blackhole with robothanks at the door. so, i'm not hopeful that the internet's immune system is simply in need of better incident reporting. we need a "sea change" in network-owner attitudes. if you're feeling holier than thou for any reason, find out if your peering agreements require your peers to permanently disconnect repeat abuse sources, and to temporarily disconnect first time abuse sources. assuming that $YOU do these things, but that $YOUR_PEERS do not, then what have you really accomplished? -- Paul Vixie
As far as reporting is concerned, we do have a number of ways you can query our DShield data. First of all, by prefix (right now only /8, /16, /24). But we do send out daily custom reports per request. Just send me an e-mail. There is also a test version of a report by ASN: http://www.dshield.org/asreport.php its experimental and feedback is welcome. It is setup to be machine parsable. On Wed, 2003-11-12 at 18:56, Jamie Reid wrote:
It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor arrays. The IDS community never seems to have wrapped its collective head around routing information. Looking up single IP addrs is just cosmetic. A real service would allow for concerned sites to check their entire address allocations.
The solution we have takes a massive amount of data munging of a routing table and is still experimental, but until attacks can be mapped to meaningful Internet topographical information, the real value of these distributed IDS efforts cannot be fully exploited.
I can forsee the argument that people shouldn't be able to look up other sites which might be compromised, but if they are really so concerned, they should get their sites patched.
-- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
"Bryan Bradsby" <Bryan.Bradsby@capnet.state.tx.us> 11/12/03 04:25pm >>>
Devise a system that assumes owners of IP space WANT to know about problems. report --open-proxy 192.168.1.1 <logfiles and have a report sent to whoever needed to know about it.
http://www.Incidents.org http://www.Dshield.org/howto.php http://www.MyNetWatchman.com
-bryan bradsby --
Johannes Ullrich jullrich@euclidian.com pgp key: http://johannes.homepc.org/PGPKEYS -------------------------------------------------------------- "We regret to inform you that we do not enable any of the security functions within the routers that we install." support@covad.net --------------------------------------------------------------
On Wed, 12 Nov 2003 18:56:50 EST, Jamie Reid <Jamie.Reid@mbs.gov.on.ca> said:
It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor array
I've always wondered how to do this securely in an ad-hoc manner. The guys at MAPS send me a report once a week of stuff that's in my netblocks, but that involved contacting them and presumably at least some verification that I was affiliated with the netblocks. How do you prevent Joe Scriptkid from asking it "what vulnerable machines are coming out of ASrandom"?
myNetWatchman has a work-in-progress search-by-AS http://www.mynetwatchman.com/ListIncidentbyASSummary.asp?AS=YOUR_AS_HERE On Wed, Nov 12, 2003 at 06:56:50PM -0500, Jamie Reid wrote:
It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor arrays. The IDS community never seems to have wrapped its collective head around routing information. Looking up single IP addrs is just cosmetic. A real service would allow for concerned sites to check their entire address allocations.
The solution we have takes a massive amount of data munging of a routing table and is still experimental, but until attacks can be mapped to meaningful Internet topographical information, the real value of these distributed IDS efforts cannot be fully exploited.
I can forsee the argument that people shouldn't be able to look up other sites which might be compromised, but if they are really so concerned, they should get their sites patched. -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
"Bryan Bradsby" <Bryan.Bradsby@capnet.state.tx.us> 11/12/03 04:25pm >>>
Devise a system that assumes owners of IP space WANT to know about problems. report --open-proxy 192.168.1.1 <logfiles and have a report sent to whoever needed to know about it.
http://www.Incidents.org http://www.Dshield.org/howto.php http://www.MyNetWatchman.com
-- Dan
Unfortunately myNetWatchman is one of the wordt services I have seen. We can't even get them to send the reports to our abuse address. Roy -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Daniel Medina Sent: Thursday, November 13, 2003 6:40 AM To: nanog@merit.edu Subject: Re: The Internet's Immune System myNetWatchman has a work-in-progress search-by-AS http://www.mynetwatchman.com/ListIncidentbyASSummary.asp?AS=YOUR_AS_HERE Dan
On Thu, 13 Nov 2003, Roy wrote:
Unfortunately myNetWatchman is one of the wordt services I have seen. We can't even get them to send the reports to our abuse address.
I've found that anything marketed starting with "my" is not something I would ever want to call mine. -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
participants (7)
-
Daniel Medina -
Jamie Reid -
Jay Hennigan -
Johannes Ullrich -
Paul Vixie -
Roy -
Valdis.Kletnieks@vt.edu