[65122] in North American Network Operators' Group
Re: The Internet's Immune System
daemon@ATHENA.MIT.EDU (Jamie Reid)
Wed Nov 12 19:01:29 2003
Date: Wed, 12 Nov 2003 18:56:50 -0500
From: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
To: Bryan.Bradsby@capnet.state.tx.us, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_98C618B4.D0B0DE79
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
It would be useful if these sites allowed you to query them with CIDR =
ranges to=20
see if your site had originated any traffic that triggered their sensor =
arrays. The=20
IDS community never seems to have wrapped its collective head around =
routing=20
information. Looking up single IP addrs is just cosmetic. A real service =
would=20
allow for concerned sites to check their entire address allocations.=20
The solution we have takes a massive amount of data munging of a routing
table and is still experimental, but until attacks can be mapped to =
meaningful Internet
topographical information, the real value of these distributed IDS efforts =
cannot be fully=20
exploited. =20
I can forsee the argument that people shouldn't be able to look up other =
sites
which might be compromised, but if they are really so concerned, they =
should=20
get their sites patched.=20
--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre=20
Corporate Security, MBS =20
416 327 2324=20
>>> "Bryan Bradsby" <Bryan.Bradsby@capnet.state.tx.us> 11/12/03 04:25pm =
>>>
> Devise a system that assumes owners of IP space WANT to know about =
problems.
> report --open-proxy 192.168.1.1 <logfiles
> and have a report sent to whoever needed to know about it.
http://www.Incidents.org
http://www.Dshield.org/howto.php
http://www.MyNetWatchman.com
-bryan bradsby
--=_98C618B4.D0B0DE79
Content-Type: text/plain
Content-Disposition: attachment;
filename=TEXT.htm
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px">
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>It would be useful if these sites allowed you to query them
with CIDR ranges to </FONT></DIV>
<DIV><FONT size=1>see if your site had originated any traffic that triggered
their sensor arrays. The </FONT></DIV>
<DIV><FONT size=1>IDS community never seems to have wrapped its collective head
around routing </FONT></DIV>
<DIV><FONT size=1>information. Looking up single IP addrs is just cosmetic. A
real service would </FONT></DIV>
<DIV><FONT size=1>allow for concerned sites to check their entire address
allocations. </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>The solution we have takes a massive amount of data
munging of a routing</FONT></DIV>
<DIV><FONT size=1>table and is still experimental, but until attacks can be
mapped to meaningful Internet</FONT></DIV>
<DIV><FONT size=1>topographical information, the real value of these
distributed IDS efforts cannot be fully </FONT></DIV>
<DIV><FONT size=1>exploited. </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT size=1>I can forsee the argument that people shouldn't be able to
look up other sites</FONT></DIV>
<DIV><FONT size=1>which might be compromised, but if they are really so
concerned, they should </FONT></DIV>
<DIV><FONT size=1>get their sites patched. </FONT></DIV>
<DIV><FONT size=1></FONT> </DIV><FONT size=1></FONT>
<DIV><BR> </DIV>
<DIV> </DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A
href="mailto:jamie.reid@mbs.gov.on.ca">jamie.reid@mbs.gov.on.ca</A><BR>Senior
Security Specialist, Information Protection Centre <BR>Corporate Security,
MBS <BR>416 327 2324 <BR>>>> "Bryan Bradsby"
<Bryan.Bradsby@capnet.state.tx.us> 11/12/03 04:25pm
>>><BR><BR>> Devise a system that assumes owners of IP space WANT to
know about problems.<BR>> report --open-proxy 192.168.1.1
<logfiles<BR>> and have a report sent to whoever needed to know about
it.<BR><BR><A href="http://www.Incidents.org">http://www.Incidents.org</A><BR><A
href="http://www.Dshield.org/howto.php">http://www.Dshield.org/howto.php</A><BR><A
href="http://www.MyNetWatchman.com">http://www.MyNetWatchman.com</A><BR><BR>-bryan
bradsby<BR><BR></DIV></BODY></HTML>
--=_98C618B4.D0B0DE79--
