[47835] in North American Network Operators' Group
Re: Arbor Networks DoS defense product
daemon@ATHENA.MIT.EDU (Johannes B. Ullrich)
Thu May 16 00:01:38 2002
Date: 15 May 2002 22:55:42 -0400
Message-Id: <1021517742.1581.13.camel@homer.lan>
From: "Johannes B. Ullrich" <jullrich@sans.org>
To: "PJ" <briareos@otherlands.net>
Cc: "Dan Hollis" <goemon@anime.net>, nanog@merit.edu
X-Euclidian-Scanner-Mail-From: jullrich@sans.org via server
In-Reply-To: <20020516011900.GD2239@elvander.otherlands.net>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
Errors-To: owner-nanog-outgoing@merit.edu
> What about timing? What about breaking up
> segements of the network to be scanned by different hosts?
Its realy a matter of getting a sizable 'line mine net' up. With
dshield, I hope to ultimately have a couple in each AS, probably with
some local
aggregation.
The trick is that you use other people's line mines. It doesn't help you
to use your own. Scan & exploit often come in one package so by the time
you figure out you are scanned, you probably already lost a few hosts.
The trick with distributed (or 'collaborative' as I think it is better
called) intrusion detection is that whoever gets scanned first tells
everyone else.
Also: This has to be automated. Because whoever gets hit first is
probably too busy cleaning up to worry about posting all the gorry
details on this or any other list.
> How many
> hits on the linemines constitute blocking? Are you blocking hosts or
> networks?
up to you... Setting too much of a policy would make the system
predictable and vulnerable. (attacker knows: only scan 99 hosts from
each zombie...)
> Either way, what about dynamic ips?
blocking a network will take care of them. Other than that: for a
DSL/cable line the IP will not change much, and for a dialup line they
would have to hangup&dial a lot to get a good IP distribution.
> What about scans done
> from different networks other than that which the supposed attacker is
> originating from.
Well, then these networks are marked as "attackers", which is ok. The
can clean up their systems and enjoy full access again.
> Its Universitys, unsecured wireless lans, etc.
same thing: if you run an unsecured wireless network, maybe you
shouldn't have given it access to the net in the first place.
