Agreed, time to live in the ACL is critical as well .. this is primary to be used to stop sweeps and penetration testing .. We have SNORT deployed now but the process is still manual on the back end and of course does not respond in the time required. ----- Original Message ----- From: " Dorn Hetzel " < dorn @ hetzel .org> To: "Brian R. Watters " < brwatters @ absfoc .com> Cc: nanog @ nanog .org, "Ronald Bonica " < rbonica @juniper.net> Sent: Tuesday, January 18, 2011 1:01:43 PM Subject: Re: Auto ACL blocker One suspects this sort of automated defense should only be used against attack styles that eliminate the likelihood of a forged source ip and that the acl needs to be pruned and compacted for size. Nearby bad ips can be collected into a larger mask but there is then risk of collateral damage (how many bad source ips in a /24 or whatever before you nuke the whole thing for a while? Does the length of a prefixes "rap sheet" change its treatment? Etc) On Jan 18, 2011 3:03 PM, "Brian R. Watters " < brwatters @ absfoc .com > wrote:

Ron,

I am sure any solution given enough time could be used against you, However my hope was that a whitelist could help in that regard however I know your correct.

----- Original Message ----- From: "Ronald Bonica " < rbonica @juniper.net > To: "Brian R. Watters " < brwatters @ absfoc .com >, nanog @ nanog .org Sent: Tuesday, January 18, 2011 11:55:28 AM Subject: RE: Auto ACL blocker

Brian,

Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you?

Ron

...

-----Original Message----- From: Brian R. Watters [ mailto : brwatters @ absfoc .com ] Sent: Tuesday, January 18, 2011 2:12 PM To: nanog @ nanog .org Subject: Auto ACL blocker

We are looking for the following solution.

Honey pot that collects attacks against SSH/FTP and so on

Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..

Of course we would require a master whitelist as well as to not be blocked from our own networks.

Any current solutions or ideas ??

--

BRW

--

Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatters @ absfoc .com http :// www . americanbroadbandservice .com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638

ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out.

This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation.

-- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatters @ absfoc .com http :// www . americanbroadbandservice .com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638 ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation.