Re: "Who else picked this one up?"

["Paul D. Robertson" <proberts () clark net>]

On Fri, 30 Apr 1999, Marcus J. Ranum wrote:

> NFR) have been looking into adding a feature in the next version
> of Back Officer to allow someone to publish these kinds of
> records (potentially with a hashed IP address instead of the
> real one) to a central location for statistics, forensics,

A hashed IP address isn't going to be really useful as a cover if it's 
easily recreated, and not so useful as a tool if it isn't.  I'd rather 
see heavy disclaimers that packets may be spoofed and real addresses.

The important issue IMO is in the reporter's validity.  That's a tougher 
nut to crack, but should probably be a longer-term goal.  Victim data is 
going to be more difficult to get from everyone than attacker data.  

How do you envision using the data, and how much of it (if any) should be 
blind analysis?

> Anyone got thoughts they'd like to share about some of the
> information that might be worth gathering? We thought we'd

Originating AS of the apparent source of the packets.  It's time to start 
dragging providers into the mess in some tangenital way.  If there are 
highly abusive networks, then that issue needs to be raised with those 
network operators.

Time both local and zulu (GMT) would also be good for overall trending.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280