nanog mailing list archives
Re: What could have been done differently?
From: Eliot Lear <lear () cisco com>
Date: Tue, 28 Jan 2003 05:13:51 -0800
Sean,Ultimately, all mass-distributed software is vulnerable to software bugs. Much as we all like to bash Microsoft, the same problem can and has occurred through buffer overruns.
One thing that companies can do to mitigate a failure is to detect it faster, and stop the source. Since you don't know what the failure will look like, the best you can do is determine what is ``nominal'' through profiling, and use IDSes to report to NOCs for considered action.
There are two reasons companies don't want to do this:1. It's hard (and expensive). Profiling nominal means installing IDSes everywhere in one's environment at a time when you think things are actually working and making assumptions that *other* behavior is to be reported. Worse, network behavior is often cyclical, and you need to know how that cycle will impact what is nominal. Indeed you can have a daily, weekly, monthly, quarterly, and annual cycle. Add to this ongoing software deployment and you have something of a moving target.
2. It doesn't solve all attacks. Only attacks that break the profile will be captured. Those are going to be those that use new or unusual ports, existing "bad" signatures, or excessive bandwidth.
On the other hand, in *some* environments, IDS and an active NOC may improve predictability by reducing time needed to diagnose the problem. Who knows? Perhaps some people did benefit through these methods. I'm very curious in netmatrix's view of the whole matter, as compared to comparable events. NANOG presentation, Peter?
Eliot
Current thread:
- What could have been done differently? Sean Donelan (Jan 28)
- Re: What could have been done differently? Alex Bligh (Jan 28)
- Re: What could have been done differently? Andy Putnins (Jan 28)
- Re: What could have been done differently? Alex Bligh (Jan 28)
- Re: What could have been done differently? Mike Lewinski (Jan 28)
- Re: What could have been done differently? Andy Putnins (Jan 28)
- Re: What could have been done differently? E.B. Dreger (Jan 28)
- Re: What could have been done differently? E.B. Dreger (Jan 28)
- Re: What could have been done differently? Eliot Lear (Jan 28)
- Re: What could have been done differently? Rubens Kuhl Jr. (Jan 28)
- Re: What could have been done differently? Ted Fischer (Jan 28)
- Re: What could have been done differently? bdragon (Jan 29)
- Re: What could have been done differently? David Howe (Jan 30)
- Re: What could have been done differently? Scott Francis (Jan 29)
- Re: What could have been done differently? Leo Bicknell (Jan 28)
- RE: What could have been done differently? Eric Germann (Jan 28)
- Re: What could have been done differently? Jack Bates (Jan 28)
- RE: What could have been done differently? Eric Germann (Jan 28)
- Re: What could have been done differently? Scott Francis (Jan 28)
- RE: What could have been done differently? Eric Germann (Jan 28)
- Re: What could have been done differently? Alex Bligh (Jan 28)