Re: Arbor Networks DoS defense product

["Johannes B. Ullrich" <jullrich () sans org>]

> What about timing?  What about breaking up
> segements of the network to be  scanned by different hosts?  

Its realy a matter of getting a sizable 'line mine net' up. With
dshield, I hope to ultimately have a couple in each AS, probably with
some local
aggregation.

The trick is that you use other people's line mines. It doesn't help you
to use your own. Scan & exploit often come in one package so by the time
you figure out you are scanned, you probably already lost a few hosts.
The trick with distributed (or 'collaborative' as I think it is better
called) intrusion detection is that whoever gets scanned first tells
everyone else.

Also: This has to be automated. Because whoever gets hit first is
probably too busy cleaning up to worry about posting all the gorry
details on this or any other list.


> How many
> hits on the linemines constitute blocking?  Are you blocking hosts or
> networks?  

up to you... Setting too much of a policy would make the system
predictable and vulnerable. (attacker knows: only scan 99 hosts from
each zombie...)

> Either way, what about dynamic ips?  

blocking a network will take care of them. Other than that: for a
DSL/cable line the IP will not change much, and for a dialup line they
would have to hangup&dial a lot to get a good IP distribution.

> What about scans done
> from different networks other than that which the supposed attacker is
> originating from.  

Well, then these networks are marked as "attackers", which is ok. The
can clean up their systems and enjoy full access again.

> Its Universitys, unsecured wireless lans, etc.

same thing: if you run an unsecured wireless network, maybe you
shouldn't have given it access to the net in the first place.