nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Internet's Immune System

From: Johannes Ullrich <jullrich () euclidian com>
Date: Wed, 12 Nov 2003 19:37:30 -0500


As far as reporting is concerned, we do have a number of ways you can
query our DShield data. First of all, by prefix (right now only /8, /16,
/24). But we do send out daily custom reports per request. Just send me
an e-mail.

There is also a test version of a report by ASN:
http://www.dshield.org/asreport.php
its experimental and feedback is welcome. It is setup to be machine
parsable.




On Wed, 2003-11-12 at 18:56, Jamie Reid wrote:

It would be useful if these sites allowed you to query them with CIDR ranges to 
see if your site had originated any traffic that triggered their sensor arrays. The 
IDS community never seems to have wrapped its collective head around routing 
information. Looking up single IP addrs is just cosmetic. A real service would 
allow for concerned sites to check their entire address allocations. 

The solution we have takes a massive amount of data munging of a routing
table and is still experimental, but until attacks can be mapped to meaningful Internet
topographical information, the real value of these distributed IDS efforts cannot be fully 
exploited.  

I can forsee the argument that people shouldn't be able to look up other sites
which might be compromised, but if they are really so concerned, they should 
get their sites patched. 




--
Jamie.Reid, CISSP, jamie.reid () mbs gov on ca
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 

"Bryan Bradsby" <Bryan.Bradsby () capnet state tx us> 11/12/03 04:25pm >>>



Devise a system that assumes owners of IP space WANT to know about problems.
report --open-proxy 192.168.1.1 <logfiles
and have a report sent to whoever needed to know about it.


http://www.Incidents.org
http://www.Dshield.org/howto.php
http://www.MyNetWatchman.com

-bryan bradsby

-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich () euclidian com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support () covad net
--------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: