nanog mailing list archives

Re: How to get better security people

From: Richard A Steenbergen <ras () e-gerbil net>
Date: Wed, 3 Apr 2002 12:45:31 -0500


On Wed, Apr 03, 2002 at 06:22:01PM +0100, Avleen Vig wrote:


On Wed, 3 Apr 2002, batz wrote:

Personally, I would like to see a mixture of the MAPS RBL and
aris.securityfocus.com available, where emerging hostile netblocks
can be blackholed for short periods of time using attack information
gathered from and coroborated by a vast array of diverse sources.


Have a look at SAFE (url in sig).
We detect smurf amplifiers and I'm currently looking at ways to export
data to companies regarding large smurf amplifiers (>x250 amplification)
who refuse to close after X number of warnings.

I expect it will run on a free, but subscribed + authenticated basis (ie,
a company subscribes and gives the IP's of their DNs servers and those
servers are authorized to do lookups, but script kiddies cannot).


Many a year ago I ran a "scan and bitch" service for smurf amps (afaik it
was the first, predated netscan.org and powertech.no). Measuring raw 
packet multiplications is really a terribly incorrect method to measure 
the "badness" of a smurf amplifier. People routinely have T1's replying 
50,000 times, and other such junk. You might be better off going back 
through all the broadcasts you got positive hits from, and try sending 
bigger packets and measuring actual received bandwidth. You'll find that 
multiplication has almost no bearing in predicting the bandwidth of an 
attack.

As for your service listing them... Smurfs aren't spam, so I'm not sure
what you plan to accomplish by making the data available via DNS, it would
really only be useful as a BGP feed. Even then, it's usefulness is
limited. I suppose you could null route traffic to specific broadcast
addresses to prevent people originating smurfs from your network with
minimal impact on legit services, or if you are a big transit provider
with balls you could apply it to all your customers.

There is no protocol (disclaimer: that I'm aware of) for distributing IP
lists that could be filtered by source address, let alone other more
intelligent things like distributing firewall rulesets so you could pick
off only the echo replies, BUT MAYBE THERE SHOULD BE. <-- HINT!

-- 
Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

Current thread:

Re: How to get better security people Christopher E. Brown (Apr 02)
- Re: How to get better security people Sean Donelan (Apr 02)
  - Re: How to get better security people Jake Khuon (Apr 02)
  - Re: How to get better security people batz (Apr 03)
    - RE: How to get better security people Benjamin P. Grubin (Apr 03)
    - Re: How to get better security people Avleen Vig (Apr 03)
    - Re: How to get better security people Richard A Steenbergen (Apr 03)
    - Re: How to get better security people Avleen Vig (Apr 04)
    - Re: How to get better security people batz (Apr 03)
- <Possible follow-ups>
- RE: How to get better security people Zimmerman, David (Apr 03)