nanog mailing list archives
Re: Hi, we're from the government and we're here to help (long)
From: Chris Brenton <cbrenton () sover net>
Date: Tue, 14 Mar 2000 17:34:49 -0500
Patrick Greenwell wrote:
I think it is an intersting idea, however I believe it somewhat misses the point. While a "clearinghouse" is indeed a potentially useful entity, my suggestion centers more around actually getting NOCs to talk to each other and come up with a common approach to event handling.
My thinking is that its not just ISP's that have problems with reaching the proper security contact at another ISP, but end user networks as well. A central point of contact could help facilitate both sets of communications. My experience has been that its usually pretty rare for an organization to contact their local ISP when a security problem occurs. Typically its the ISP at the other end of the connection that gets contacted because they are in the best position to do something about the attack. Of course you can't easily ID the source with many attack patterns, thus the need to come up with some kind of a formal handling procedure. My gut is that this would be easier to facilitate through a central point of contact rather than dealing with a distributed model where everyone needs some method of staying in sync.
My 100,000 foot view tells me the problem is not security, it is a lack of communication between providers. Enable that, then a reasonable stab can be made at semi-cohesive security alert notification.
Kind of funny that the largest communication infrastructure has actually caused its on set of communication problems. ;) I agree the problem is not security per se, but in addition to communication its also a data resource problem. Unless you are logging everything that coming out of your network, its difficult to keep track of who is doing what. Thus the "clearing house" idea as a central point of data collection. I know that as part of GIAC we've been successful in helping to pin down a number of purps as well as compromised systems just by being able to correlate data from multiple targets. This makes it much easier to see patterns. Its also a good way to get the scoop on what's going down both positive and negative. For example I've seen a number of domains mistake the 3DNS probes for attacks and kill all connectivity with the source network. By keeping the community at large in the loop as to what was really going on, we where able to clarify some misconceptions.
Absolutely correct. The infrastructure is beginning to generate far too much revenue to be ignored anymore.
Agreed, although based on the lack of interest in my original post I don't see it getting addressed in short order. Thanks! Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Hi, we're from the government and we're here to help Sean Donelan (Mar 09)
- Re: Hi, we're from the government and we're here to help Joe Shaw (Mar 09)
- Re: Hi, we're from the government and we're here to help Randy Bush (Mar 09)
- Re: Hi, we're from the government and we're here to help Henry R. Linneweh (Mar 10)
- Re: Hi, we're from the government and we're here to help Patrick Greenwell (Mar 10)
- Message not available
- Re: Hi, we're from the government and we're here to help Kelly J. Cooper (Mar 10)
- Re: Hi, we're from the government and we're here to help Patrick Greenwell (Mar 10)
- Message not available
- Re: Hi, we're from the government and we're here to help (long) Chris Brenton (Mar 13)
- Re: Hi, we're from the government and we're here to help (long) Patrick Greenwell (Mar 13)
- Re: Hi, we're from the government and we're here to help (long) Chris Brenton (Mar 14)
- Re: Hi, we're from the government and we're here to help (long) Randy Bush (Mar 14)
- Re: Hi, we're from the government and we're here to help (long) Patrick Greenwell (Mar 14)
- Re: Hi, we're from the government and we're here to help Chris Brenton (Mar 14)
- Re: Hi, we're from the government and we're here to help Henry R. Linneweh (Mar 14)
- Re: Hi, we're from the government and we're here to help Patrick Greenwell (Mar 14)
- Re: Hi, we're from the government and we're here to help Joe Shaw (Mar 09)
- <Possible follow-ups>
- Re: Hi, we're from the government and we're here to help Sean Donelan (Mar 09)
- Re: Hi, we're from the government and we're here to help Paul Ferguson (Mar 09)
- Re: Hi, we're from the government and we're here to help Jeremy Porter (Mar 09)
- Re: Hi, we're from the government and we're here to help Lauren F. Nowlin (Mar 09)
- Re: Hi, we're from the government and we're here to help Hal Murray (Mar 10)