Re: "Who else picked this one up?"

["Paul D. Robertson" <proberts () clark net>]

On Fri, 30 Apr 1999, Marcus J. Ranum wrote:

> with Paul that putting heavy disclaimers around the
> database would be a sensible precaution, but I don't want to
> trust people's ability to read disclaimers.

Use the same schema that you use for NFR downloads perhaps?

[Complete agreement on the rating scheme]

Do you intend to make the database available, the data, or both?

NFR-like graphs would be useful for generating reports justifying ID 
systems.  

> > How do you envision using the data, and how much of it (if any) should be 
> > blind analysis?
>
> Well, that's the _really_ interesting question!!!
> What could this data be used for?
>
> First off, it'd be the first attempt I know of to quantify
> the level and rate with which corporate and personal sites/systems
> are scanned by "vulnerability assessment" tools (hacker tools)
> or "illustrate problems with windows security" tools (hacker tools).
> The information there could make for some interesting studies.

Definitely.  Real studies too, not just academic ones.  I mean that the 
data is semi-realtime useful, and could eventually become real-time 
useful if an RBL-like mechanism could be used to share some of the 
information between IDS', if we take a longer host-key'ed auto-reporting 
feature, then coordinating reports in real-time becomes possible.  That 
makes things very interesting, very quickly.  Also things like Easter's 
attacks become immediately recognizable and eventually threatcons and 
eventually reactions can be done in realtime.   

> Are web sites (like where you work, Paul...?) scanned more often

We don't tend to allow the packets in to the sites, so I think you'll 
pretty quickly want to get a script that generates the same submission 
data from Cisco access list logging.  If we can agree on a format, I'll 
ante that up as my contribution.

> It might be very interesting to see what ISPs are the main sources
> of "incidents" and forward the information to them. Perhaps
> automatically. :)

This is my main reason for wanting originating-AS data.  I also think it 
gives us a chance to pressure the NSP/ISP/Carriers that we use to transit 
our data.  If we get to a point where blackholing is feasable, then 
that's a good thing, but that's not my intention with the request, and I 
don't think we're anywhere near feasability for that step.  

> It might make some useful data for getting corporate management
> and ISP management and maybe even Feds to realize that, yes,
> Dorothy, there is a problem. It might make useful data for
> convincing people that dial-up is not secure. It might make
> useful data for convincing cable service providers to think
> about designing their crap better.

It would.

> > Originating AS of the apparent source of the packets.  It's time to start 
> > dragging providers into the mess in some tangenital way.  If there are 
> > highly abusive networks, then that issue needs to be raised with those 
> > network operators.
>
> Yep. It'd be _tempting_ to black hole them but I don't think
> it's time (yet) for Internet vigilatism. _Yet_. We can't, _yet_
> because we don't have good enough data to justify vigilantism.

I don't want to blackhole them, I want to read them a riot act, and I 
want them to start taking some accountability for their customers.  
Ultimately, I want *them* detecting the scans.  

> > Time both local and zulu (GMT) would also be good for overall trending.  
>
> Good point. I figured we'd have the client submit its idea of the
> time (and timezone) when it uploads records. Then we could use
> patented subtraction technology to adjust the times.

Hmmm, can we put subtraction under the GPL? ;)

> I also was thinking that the source of the data records would
> be optional. A site uploading records could upload them with
> its "tagged" addresses, or keyed hashes of the tagged addresses.
> That wouldn't show up in the database for query, it'd just be
> recorded by unique site ID.

Don't forget to add a "null address" key for sites that don't want to 
release any addresses for some reason or other who can still contribute 
uselful data.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280