[46541] in North American Network Operators' Group
Re: How to get better security people
daemon@ATHENA.MIT.EDU (batz)
Wed Apr 3 14:39:22 2002
Date: Wed, 3 Apr 2002 14:31:28 -0500 (EST)
From: batz <batsy@vapour.net>
To: NANOG <nanog@merit.edu>
In-Reply-To: <20020403181906.N17312-100000@apple.silverwraith.com>
Message-ID: <Pine.BSF.4.21.0204031338520.401-100000@vapour.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 3 Apr 2002, Avleen Vig wrote:
:Have a look at SAFE (url in sig).
:We detect smurf amplifiers and I'm currently looking at ways to export
:data to companies regarding large smurf amplifiers (>x250 amplification)
:who refuse to close after X number of warnings.
Yeah, that uses a bit more of the anti-spam model than a network
protection model. Aris takes IDS logs from subscriber sites,
normalizes them and generates stats (among other things). After
the data is normalized, they show emerging trends and anomalies.
An example of this would be if an attacker started scanning across
the Internet for ssh servers, this could trigger IDS's at multiple
sites, which would increase the profile of attackers ip addr.
What I was suggesting is that this data be cleaned and a list of
actively hostile hosts be distributed to subscribers for temporary
blockage, either by port filter, or blackholed by prefix on a reasonably
real-time basis.
--
batz
