Hi, we're from the government and we're here to help
Operational, only in the sense it disrupts our operations http://www.usatoday.com/life/cyber/tech/cth523.htm An interesting article which reviews some of the history and some perspective on the government response to the denial of service attacks. Unfortunately, its even worse. Before the FBI created the NIPC, the NTIA/Department of Commerce was tasked with Internet protection. I went to one of the meetings at DOC. It felt like a cold war contractor unemployment office. The NTIA eventually appointed three groups to represent the interests of the Internet in cyber-security. Anyone know/remember who those groups were? Earlier, the government created the Critical Infrastructure Assurance Office. Before that there was a commission, but the Internet wasn't really considered an "interesting" infrastructure at that time. The US Government as been amazingly pro-active in this area, or at least some small groups have been. They've also consistently said the government can't protect the Internet. The infrastructure is owned by private companies and individuals; and industry has to work together to protect it. The question is does industry think its worthwhile to work together? After several major disruptions received at lot of media attention, IOPS was formed. Later members like UUNET dropped out. After the DOS attacks, several providers announced their Gold Ribbon initiative. Have any providers actually taking concrete steps to change their networks? The IESG has a last call for a Best Common Practice on Internet security. Will any provider actually follow it? There is a barely used $50 million center in Washington we can probably buy real cheap if folks think we'll ever need an emergency response coordination center in the future.
On 9 Mar 2000, Sean Donelan wrote:
There is a barely used $50 million center in Washington we can probably buy real cheap if folks think we'll ever need an emergency response coordination center in the future.
Sounds like something CERT was setup to do. They were started back in 1988 after the Morris worm to act as an incident response team and communications center during incidents. How successful they are has yet to be seen. I personally think they take the interests of corporate entities a lot more seriously than they are concerned about security. The problem with initiatives that rely on voluntary participation by organizations is that there are too many "trade secrets," "proprietary technology" and even some bad blood to get things done. Some people just don't want to play nicely. This is probably the biggest shortcoming of the Internet and it's potential. Everyone "cares" about security until it's time to get their hands dirty and interact with others. joe
The problem with initiatives that rely on voluntary participation by organizations is that there are too many "trade secrets," "proprietary technology" and even some bad blood to get things done. Some people just don't want to play nicely. This is probably the biggest shortcoming of the Internet and it's potential. Everyone "cares" about security until it's time to get their hands dirty and interact with others.
actually, in working with the other large providers, i have not found this to be the case. and most smallish folk seem cooperative. it is usually the middle sized folk who have not scaled to meet the problems, and occasionally let things fall through the cracks. randy
Well the talent here in this group and problems out there in that group we have a better chance of resolving any of these issues since they have been worked on longer here than in any other know group of talented people. No one has considered this option, and if by some great fortune the political rhetoric can be set aside we can ensure safer networks in the future, but I am not the one who will make this decision and non of this will come easy and much work is yet to be done..... Joe Shaw wrote:
On 9 Mar 2000, Sean Donelan wrote:
There is a barely used $50 million center in Washington we can probably buy real cheap if folks think we'll ever need an emergency response coordination center in the future.
Sounds like something CERT was setup to do. They were started back in 1988 after the Morris worm to act as an incident response team and communications center during incidents. How successful they are has yet to be seen. I personally think they take the interests of corporate entities a lot more seriously than they are concerned about security.
The problem with initiatives that rely on voluntary participation by organizations is that there are too many "trade secrets," "proprietary technology" and even some bad blood to get things done. Some people just don't want to play nicely. This is probably the biggest shortcoming of the Internet and it's potential. Everyone "cares" about security until it's time to get their hands dirty and interact with others.
joe
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
On 9 Mar 2000, Sean Donelan wrote:
The US Government as been amazingly pro-active in this area, or at least some small groups have been. They've also consistently said the government can't protect the Internet. The infrastructure is owned by private companies and individuals; and industry has to work together to protect it.
The question is does industry think its worthwhile to work together?
Funny you should ask that. There was a lot of discussion on Bugtraq recently about the attacks and from those discussions another list was started to discuss formation of an "Assocation of Responsible Internet Providers" (ARIP@SECURITYFOCUS.COM). Discussion ensued regarding what the organization should be doing. There seemed to be general agreement on the idea of first creating a NOC<->NOC communication protocol/procedures(this is at the people layer, not the technical layer.) I suggested that the group develop a charter, form a 501(c)(6), elect officers, obtain D&O insurance and then proceed. I also stated that any such venture was going to require very real money to accomplish, and asked if there was anyone willing to put their money where there mouth is, and monetarily contribute to such a venture(I offered to put up a few hundred dollars.) Suddenly, the list got very, very quiet. In fact, since I posted that message, there hasn't been a single post to the list. Emperically, this suggests to me that while everyone is quick to spend countless hours expressing an opinion on mailing lists, there is nobody willing to invest in making this happen. I believe this to be such a common communication protocol and procedures for handling issues to be of great necessity and desireability. If 10% of the vast number of people that have expressed their opinions on these issues were each willing to put up a little money, we could solve this problem once and for all. So, my offer stands. If there are any individuals or organizations that would like to do something besides bemoaning the lack of coordination between providers and actually *do* something to fix it, please contact me privately. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Earth is a single point of failure. \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Howdy all, Patrick Greenwell wrote:
Suddenly, the list got very, very quiet. In fact, since I posted that message, there hasn't been a single post to the list. Emperically, this suggests to me that while everyone is quick to spend countless hours expressing an opinion on mailing lists, there is nobody willing to invest in making this happen.
I recently because associated with a security group working out of Dartmouth College. The focus of this group has not only been on internal security but issues that effect the Internet as a whole. The group already has a pretty good amount of funding. I could probably score enough backing and office space for a NOC that could address the issues that are being discussed. While I doubt I could raise the $50M someone suggested earlier, I could probably come up with enough for equipment, a small staff and to maintain a number of guru types on a consulting basis. Let me run though what I'm thinking and ask people to either critique or tell me I'm out in left field. I'm thinking of an organization that has a front end similar to GIAC. If you are unfamiliar with GIAC check out: http://www.sans.org/giac.htm GIAC provides a location for people to submit log entries and intrusion reports. The cool thing is there are a number of analysts (myself included) that volunteer their time to answer questions and help people understand what they are looking at. The important thing here is that people receive immediate (or close to immediate) replies to their queries. If a person has questions regarding some suspicious log entries, they can run it past the team of analysts to see what they think. Anything that looks interesting is then sanitized and recorded. The results are then posted to the Web site for all to review. This gives people a resource to consult when they are trying to figure out who or what is whacking away at their perimeter. The only thing missing at GIAC is a seachable archive which would be cool for referencing source IP addresses and target ports. This would also provide a real time alert mechanism as to what kinds of threats are making the rounds. The real strength in this kind of a setup is the ability to correlate attack patterns from multiple targets. While there are groups doing this today, the information is not made public (at least not that I've been able to find). A while back there where a few posts on the Incident list from a number of ISPs. One or two basically came right out and stated that they get so many incident reports that one or two reports on any individual user does not necessarily mean they will take some kind of action. I'm thinking that if the above collected data is being correlated, we have a much better chance of spotting larger trends and getting the bad guys shut down. I'm also thinking that this organization could act as a central point of contact in responding to events. There was a comment thrown out about how it can be difficult to figure out who to contact during an intrusion. Part of this organization's job could be cataloging these contacts. True the list would probably be outdated is short order, but at least its a starting point in trying to tie together the source and target networks. I don't think it would be necessary to list every ISP, just the major providers. The provider could then take care of dealing with their down stream client. My fear is that if we do not address these issues as a community, government/law enforcement will eventually step in and try and take care of it for us. One way or another these problems have to be addressed, the question is who is going to do it. Comments? I don't have all the answers but I'm wondering if people think this would be a good place to start. Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
On Mon, 13 Mar 2000, Chris Brenton wrote:
Patrick Greenwell wrote:
Suddenly, the list got very, very quiet. In fact, since I posted that message, there hasn't been a single post to the list. Emperically, this suggests to me that while everyone is quick to spend countless hours expressing an opinion on mailing lists, there is nobody willing to invest in making this happen.
I recently because associated with a security group working out of Dartmouth College. The focus of this group has not only been on internal security but issues that effect the Internet as a whole. The group already has a pretty good amount of funding. I could probably score enough backing and office space for a NOC that could address the issues that are being discussed. While I doubt I could raise the $50M someone suggested earlier, I could probably come up with enough for equipment, a small staff and to maintain a number of guru types on a consulting basis.
I think it is an intersting idea, however I believe it somewhat misses the point. While a "clearinghouse" is indeed a potentially useful entity, my suggestion centers more around actually getting NOCs to talk to each other and come up with a common approach to event handling. My 100,000 foot view tells me the problem is not security, it is a lack of communication between providers. Enable that, then a reasonable stab can be made at semi-cohesive security alert notification.
My fear is that if we do not address these issues as a community, government/law enforcement will eventually step in and try and take care of it for us.
Absolutely correct. The infrastructure is beginning to generate far too much revenue to be ignored anymore. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Earth is a single point of failure. \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Patrick Greenwell wrote:
I think it is an intersting idea, however I believe it somewhat misses the point. While a "clearinghouse" is indeed a potentially useful entity, my suggestion centers more around actually getting NOCs to talk to each other and come up with a common approach to event handling.
My thinking is that its not just ISP's that have problems with reaching the proper security contact at another ISP, but end user networks as well. A central point of contact could help facilitate both sets of communications. My experience has been that its usually pretty rare for an organization to contact their local ISP when a security problem occurs. Typically its the ISP at the other end of the connection that gets contacted because they are in the best position to do something about the attack. Of course you can't easily ID the source with many attack patterns, thus the need to come up with some kind of a formal handling procedure. My gut is that this would be easier to facilitate through a central point of contact rather than dealing with a distributed model where everyone needs some method of staying in sync.
My 100,000 foot view tells me the problem is not security, it is a lack of communication between providers. Enable that, then a reasonable stab can be made at semi-cohesive security alert notification.
Kind of funny that the largest communication infrastructure has actually caused its on set of communication problems. ;) I agree the problem is not security per se, but in addition to communication its also a data resource problem. Unless you are logging everything that coming out of your network, its difficult to keep track of who is doing what. Thus the "clearing house" idea as a central point of data collection. I know that as part of GIAC we've been successful in helping to pin down a number of purps as well as compromised systems just by being able to correlate data from multiple targets. This makes it much easier to see patterns. Its also a good way to get the scoop on what's going down both positive and negative. For example I've seen a number of domains mistake the 3DNS probes for attacks and kill all connectivity with the source network. By keeping the community at large in the loop as to what was really going on, we where able to clarify some misconceptions.
Absolutely correct. The infrastructure is beginning to generate far too much revenue to be ignored anymore.
Agreed, although based on the lack of interest in my original post I don't see it getting addressed in short order. Thanks! Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
My thinking is that its not just ISP's that have problems with reaching the proper security contact at another ISP, but end user networks as well. A central point of contact could help facilitate both sets of communications.
centralization has generally not scaled well on the internet. heck, even cert used to be quite useful. then the problem grew a bit too much. randy
On Tue, 14 Mar 2000, Randy Bush wrote:
My thinking is that its not just ISP's that have problems with reaching the proper security contact at another ISP, but end user networks as well. A central point of contact could help facilitate both sets of communications.
centralization has generally not scaled well on the internet. heck, even cert used to be quite useful. then the problem grew a bit too much.
I think Randy is absolutely correct(someone take a picture, quick....) /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Earth is a single point of failure. \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Randy Bush wrote:
centralization has generally not scaled well on the internet. heck, even cert used to be quite useful. then the problem grew a bit too much.
The problem grew too much or the organization didn't keep up with the times? Back when CERT was started there was no Bugtraq, NTBugtraq, Incidents, etc. mailing lists. Today its these resources that are getting the word out the quickest with the greatest level of detail. Don't see CERT doing anything any different today than they did 5-7 years ago. The difference is that these other groups are doing it quicker so the perception is that CERT is less effective. Cheers, Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Yeah I remember that back in 1990 CERT was the pheer word... Chris Brenton wrote:
Randy Bush wrote:
centralization has generally not scaled well on the internet. heck, even cert used to be quite useful. then the problem grew a bit too much.
The problem grew too much or the organization didn't keep up with the times?
Back when CERT was started there was no Bugtraq, NTBugtraq, Incidents, etc. mailing lists. Today its these resources that are getting the word out the quickest with the greatest level of detail. Don't see CERT doing anything any different today than they did 5-7 years ago. The difference is that these other groups are doing it quicker so the perception is that CERT is less effective.
Cheers, Chris -- ************************************** cbrenton@sover.net
* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
On Tue, 14 Mar 2000, Chris Brenton wrote:
Randy Bush wrote:
centralization has generally not scaled well on the internet. heck, even cert used to be quite useful. then the problem grew a bit too much.
The problem grew too much or the organization didn't keep up with the times?
Back when CERT was started there was no Bugtraq, NTBugtraq, Incidents, etc. mailing lists. Today its these resources that are getting the word out the quickest with the greatest level of detail. Don't see CERT doing anything any different today than they did 5-7 years ago. The difference is that these other groups are doing it quicker so the perception is that CERT is less effective.
That's a one to many issue. NOC to NOC is a many to many problem. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Earth is a single point of failure. \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
participants (7)
-
Chris Brenton -
Henry R. Linneweh -
Joe Shaw -
Patrick Greenwell -
Randy Bush -
Randy Bush -
Sean Donelan