nanog mailing list archives
Re: Arbor Networks DoS defense product
From: "Johannes B. Ullrich" <jullrich () sans org>
Date: 15 May 2002 22:55:42 -0400
What about timing? What about breaking up segements of the network to be scanned by different hosts?
Its realy a matter of getting a sizable 'line mine net' up. With dshield, I hope to ultimately have a couple in each AS, probably with some local aggregation. The trick is that you use other people's line mines. It doesn't help you to use your own. Scan & exploit often come in one package so by the time you figure out you are scanned, you probably already lost a few hosts. The trick with distributed (or 'collaborative' as I think it is better called) intrusion detection is that whoever gets scanned first tells everyone else. Also: This has to be automated. Because whoever gets hit first is probably too busy cleaning up to worry about posting all the gorry details on this or any other list.
How many hits on the linemines constitute blocking? Are you blocking hosts or networks?
up to you... Setting too much of a policy would make the system predictable and vulnerable. (attacker knows: only scan 99 hosts from each zombie...)
Either way, what about dynamic ips?
blocking a network will take care of them. Other than that: for a DSL/cable line the IP will not change much, and for a dialup line they would have to hangup&dial a lot to get a good IP distribution.
What about scans done from different networks other than that which the supposed attacker is originating from.
Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again.
Its Universitys, unsecured wireless lans, etc.
same thing: if you run an unsecured wireless network, maybe you shouldn't have given it access to the net in the first place.
Current thread:
- Re: Arbor Networks DoS defense product, (continued)
- Re: Arbor Networks DoS defense product Rob Thomas (May 15)
- Re: Arbor Networks DoS defense product Dan Hollis (May 15)
- Re: Arbor Networks DoS defense product PJ (May 15)
- Re: Arbor Networks DoS defense product Dan Hollis (May 15)
- Re: Arbor Networks DoS defense product PJ (May 15)
- Re: Arbor Networks DoS defense product Dug Song (May 15)
- Re: Arbor Networks DoS defense product Clayton Fiske (May 15)
- Re: Arbor Networks DoS defense product Dan Hollis (May 15)
- Re: Arbor Networks DoS defense product Johannes B. Ullrich (May 15)
- Re: Arbor Networks DoS defense product PJ (May 15)
- Re: Arbor Networks DoS defense product Johannes B. Ullrich (May 15)
- Re: Arbor Networks DoS defense product Dan Hollis (May 15)
- Re: Arbor Networks DoS defense product Rob Thomas (May 15)
- Re: Arbor Networks DoS defense product Scott Francis (May 16)
- Re: Arbor Networks DoS defense product Dan Hollis (May 16)
- Re: Arbor Networks DoS defense product PJ (May 15)
- Re: Arbor Networks DoS defense product Dan Hollis (May 15)
- Re: Arbor Networks DoS defense product Kevin Oberman (May 16)
- Re: Arbor Networks DoS defense product mval (May 16)
- Re: Arbor Networks DoS defense product Scott Francis (May 16)
- Re: Arbor Networks DoS defense product Scott Francis (May 16)
- Message not available
- Message not available
- Message not available
- Re: Arbor Networks DoS defense product Clayton Fiske (May 15)