nanog mailing list archives
Re: The Internet's Immune System
From: "David A. Ulevitch" <davidu () everydns net>
Date: Wed, 12 Nov 2003 12:15:06 -0600
Christopher X. Candreva wrote:
So in the above example, if I receive the report for 192.168.1.1 being an open proxy, I might have my system configured, because that is a residential DSL IP, to automaticly do a full port scan on it to look for open proxies, and if I confirm that it is open shut the line down, or just kick out a ticket for someone to call the customer. Or, start a netflow analysis on it to look for virus/worm traffic. Or not do anything until a certain number of reports are received, weighted based on the ranking of PGP sigs.
That's a start, but think about this. Worms are fast now. [1]Lets say you have 30 seconds to stop a worm from the time it hits the internet to until the time it's fully propagated to the point of serious network disruption.
Automated techniques are the only thing that will stop it but is your idea "fast enough?" I don't think so. Relying on user reports is good for compromises and spambots but it won't do anything to stop CodeRed or Nimda.
It has to automatically fight it, it has to be accurate and it has to be fast.Paul's use of the word immune system hit it on the head. An immune system kicks in automaticly to fight infection, and right now there isn't one on the net.
I don't think anything comes close to that today.
-davidu [1]: http://www.cs.berkeley.edu/~nweaver/cdc.web/ ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
Current thread:
- Portscans/PROXY scans John_York (Nov 01)
- Re: Portscans/PROXY scans Sean Donelan (Nov 01)
- Re: Portscans/PROXY scans Suresh Ramasubramanian (Nov 01)
- Re: Portscans/PROXY scans Paul Vixie (Nov 01)
- Re: Portscans/PROXY scans Andrew D Kirch (Nov 02)
- Re: Portscans/PROXY scans Matthew Sullivan (Nov 02)
- Re: Portscans/PROXY scans Paul Vixie (Nov 02)
- The Internet's Immune System Christopher X. Candreva (Nov 12)
- Re: The Internet's Immune System David A. Ulevitch (Nov 12)
- Re: The Internet's Immune System Christopher X. Candreva (Nov 12)
- Re: Portscans/PROXY scans Suresh Ramasubramanian (Nov 01)
- Re: The Internet's Immune System Bryan Bradsby (Nov 12)
- Re: Portscans/PROXY scans Sean Donelan (Nov 01)
- <Possible follow-ups>
- RE: Portscans/PROXY scans John_York (Nov 01)