[65124] in North American Network Operators' Group
Re: The Internet's Immune System
daemon@ATHENA.MIT.EDU (Johannes Ullrich)
Wed Nov 12 19:41:23 2003
From: Johannes Ullrich <jullrich@euclidian.com>
Reply-To: jullrich@euclidian.com
To: Jamie Reid <Jamie.Reid@mbs.gov.on.ca>
Cc: Bryan.Bradsby@capnet.state.tx.us, nanog@merit.edu
In-Reply-To: <sfb28354.079@imail.mbs.gov.on.ca>
Date: Wed, 12 Nov 2003 19:37:30 -0500
Errors-To: owner-nanog-outgoing@merit.edu
As far as reporting is concerned, we do have a number of ways you can
query our DShield data. First of all, by prefix (right now only /8, /16,
/24). But we do send out daily custom reports per request. Just send me
an e-mail.
There is also a test version of a report by ASN:
http://www.dshield.org/asreport.php
its experimental and feedback is welcome. It is setup to be machine
parsable.
On Wed, 2003-11-12 at 18:56, Jamie Reid wrote:
> It would be useful if these sites allowed you to query them with CIDR ranges to
> see if your site had originated any traffic that triggered their sensor arrays. The
> IDS community never seems to have wrapped its collective head around routing
> information. Looking up single IP addrs is just cosmetic. A real service would
> allow for concerned sites to check their entire address allocations.
>
> The solution we have takes a massive amount of data munging of a routing
> table and is still experimental, but until attacks can be mapped to meaningful Internet
> topographical information, the real value of these distributed IDS efforts cannot be fully
> exploited.
>
> I can forsee the argument that people shouldn't be able to look up other sites
> which might be compromised, but if they are really so concerned, they should
> get their sites patched.
>
>
>
>
> --
> Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
> Senior Security Specialist, Information Protection Centre
> Corporate Security, MBS
> 416 327 2324
> >>> "Bryan Bradsby" <Bryan.Bradsby@capnet.state.tx.us> 11/12/03 04:25pm >>>
>
> > Devise a system that assumes owners of IP space WANT to know about problems.
> > report --open-proxy 192.168.1.1 <logfiles
> > and have a report sent to whoever needed to know about it.
>
> http://www.Incidents.org
> http://www.Dshield.org/howto.php
> http://www.MyNetWatchman.com
>
> -bryan bradsby
--
--------------------------------------------------------------
Johannes Ullrich jullrich@euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
"We regret to inform you that we do not enable any of the
security functions within the routers that we install."
support@covad.net
--------------------------------------------------------------
