[55372] in North American Network Operators' Group
Re: What could have been done differently?
daemon@ATHENA.MIT.EDU (Eliot Lear)
Tue Jan 28 08:14:55 2003
Date: Tue, 28 Jan 2003 05:13:51 -0800
From: Eliot Lear <lear@cisco.com>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.44.0301280309410.21878-100000@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
Sean,
Ultimately, all mass-distributed software is vulnerable to software
bugs. Much as we all like to bash Microsoft, the same problem can and
has occurred through buffer overruns.
One thing that companies can do to mitigate a failure is to detect it
faster, and stop the source. Since you don't know what the failure will
look like, the best you can do is determine what is ``nominal'' through
profiling, and use IDSes to report to NOCs for considered action.
There are two reasons companies don't want to do this:
1. It's hard (and expensive). Profiling nominal means installing IDSes
everywhere in one's environment at a time when you think things are
actually working and making assumptions that *other* behavior is to be
reported. Worse, network behavior is often cyclical, and you need to
know how that cycle will impact what is nominal. Indeed you can have a
daily, weekly, monthly, quarterly, and annual cycle. Add to this
ongoing software deployment and you have something of a moving target.
2. It doesn't solve all attacks. Only attacks that break the profile
will be captured. Those are going to be those that use new or unusual
ports, existing "bad" signatures, or excessive bandwidth.
On the other hand, in *some* environments, IDS and an active NOC may
improve predictability by reducing time needed to diagnose the problem.
Who knows? Perhaps some people did benefit through these methods.
I'm very curious in netmatrix's view of the whole matter, as compared to
comparable events. NANOG presentation, Peter?
Eliot
