Firewall Wizards mailing list archives
Re: "Who else picked this one up?"
From: "Paul D. Robertson" <proberts () clark net>
Date: Fri, 30 Apr 1999 22:43:16 -0400 (EDT)
On Fri, 30 Apr 1999, Marcus J. Ranum wrote:
with Paul that putting heavy disclaimers around the database would be a sensible precaution, but I don't want to trust people's ability to read disclaimers.
Use the same schema that you use for NFR downloads perhaps? [Complete agreement on the rating scheme] Do you intend to make the database available, the data, or both? NFR-like graphs would be useful for generating reports justifying ID systems.
How do you envision using the data, and how much of it (if any) should be blind analysis?Well, that's the _really_ interesting question!!! What could this data be used for? First off, it'd be the first attempt I know of to quantify the level and rate with which corporate and personal sites/systems are scanned by "vulnerability assessment" tools (hacker tools) or "illustrate problems with windows security" tools (hacker tools). The information there could make for some interesting studies.
Definitely. Real studies too, not just academic ones. I mean that the data is semi-realtime useful, and could eventually become real-time useful if an RBL-like mechanism could be used to share some of the information between IDS', if we take a longer host-key'ed auto-reporting feature, then coordinating reports in real-time becomes possible. That makes things very interesting, very quickly. Also things like Easter's attacks become immediately recognizable and eventually threatcons and eventually reactions can be done in realtime.
Are web sites (like where you work, Paul...?) scanned more often
We don't tend to allow the packets in to the sites, so I think you'll pretty quickly want to get a script that generates the same submission data from Cisco access list logging. If we can agree on a format, I'll ante that up as my contribution.
It might be very interesting to see what ISPs are the main sources of "incidents" and forward the information to them. Perhaps automatically. :)
This is my main reason for wanting originating-AS data. I also think it gives us a chance to pressure the NSP/ISP/Carriers that we use to transit our data. If we get to a point where blackholing is feasable, then that's a good thing, but that's not my intention with the request, and I don't think we're anywhere near feasability for that step.
It might make some useful data for getting corporate management and ISP management and maybe even Feds to realize that, yes, Dorothy, there is a problem. It might make useful data for convincing people that dial-up is not secure. It might make useful data for convincing cable service providers to think about designing their crap better.
It would.
Originating AS of the apparent source of the packets. It's time to start dragging providers into the mess in some tangenital way. If there are highly abusive networks, then that issue needs to be raised with those network operators.Yep. It'd be _tempting_ to black hole them but I don't think it's time (yet) for Internet vigilatism. _Yet_. We can't, _yet_ because we don't have good enough data to justify vigilantism.
I don't want to blackhole them, I want to read them a riot act, and I want them to start taking some accountability for their customers. Ultimately, I want *them* detecting the scans.
Time both local and zulu (GMT) would also be good for overall trending.Good point. I figured we'd have the client submit its idea of the time (and timezone) when it uploads records. Then we could use patented subtraction technology to adjust the times.
Hmmm, can we put subtraction under the GPL? ;)
I also was thinking that the source of the data records would be optional. A site uploading records could upload them with its "tagged" addresses, or keyed hashes of the tagged addresses. That wouldn't show up in the database for query, it'd just be recorded by unique site ID.
Don't forget to add a "null address" key for sites that don't want to release any addresses for some reason or other who can still contribute uselful data. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: "Re: a fun new tool from us... & 'Today's occurances' ", (continued)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Kaptain (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " pmsac (Apr 29)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " carson (Apr 30)
- "Who else picked this one up?" Philip S Holt, Security Engineer / Network Engineer (Apr 30)
- Re: "Who else picked this one up?" Marcus J. Ranum (Apr 30)
- BO, netbus and so on... Marcelo M. Sosa Lugones (Apr 30)
- Re: "Who else picked this one up?" Paul D. Robertson (Apr 30)
- Re: "Who else picked this one up?" Marcus J. Ranum (Apr 30)
- Re: "Who else picked this one up?" Paul D. Robertson (Apr 30)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Paul D. Robertson (Apr 28)
- Re: "Re: a fun new tool from us... & 'Today's occurances' " Tin Le (Apr 30)