[110021] in North American Network Operators' Group
Re: Security Intelligence [Was: Re: Netblock reassigned from Chile
daemon@ATHENA.MIT.EDU (Randy Bush)
Fri Dec 19 22:23:19 2008
Date: Sat, 20 Dec 2008 12:23:08 +0900
From: Randy Bush <randy@psg.com>
To: Luke S Crawford <lsc@prgmr.com>
In-Reply-To: <m3r643bl8o.fsf@luke.xen.prgmr.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
>> be specific, like "if you run X tools the payoff will be Y."
> Yes. And where is the appropriate form for this?
there must be some operators' list somewhere.
> it doesn't seem like the sort of thing NANOG is for
yep. nanog is for whining about it, not doing/saying something actually
constructive with technical content.
</sarcasm>
> speaking as a small provider, I can tell you that I find running snort
> against my inbound traffic does reduce the cost of running an abuse desk.
> I do catch offenders before I get abuse@ complaints, sometimes.
unfortunately snort does not really scale to a larger provider. and, to
the best of my poor knowledge, good open source tools to
black-hole/redirect botted users are not generally available.
universities have some that are good at campus and enterprise scale.
cymru and a few security researchers responded privately to my plea for
solid open source tool sets and refs. knowing the folk involved, maybe
we'll see some motion. patience is a virtue, within limits.
randy
