nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

From: Mark Andrews <marka () isc org>
Date: Tue, 27 Sep 2016 10:19:24 +1000

In message <CAL9jLaZNBP9GWFzHnB1AGG8MRnK3dH=qeQb_KeigKc198zDaJw () mail gmail com>, Christopher Morrow writes:

On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka () isc org> wrote:



Giving them real time access to the anomalous traffic log feed for
their residence would also help.  They or the specialist they bring
in will be able to use that to trace back the problem.



wouldn't this work better as a standard bit of CPE software capability?


While this would be useful, it is not sufficient.  This may or may
not match what the ISP is detecting and basing its reports to the
customer on.

Such a feed could also include MTA logs for email nominally from
the customer. etc.   If we want customers to clean up networks, use
of the ISP's services, they need to be able to see what is going
wrong as far as the ISP is concerned.

You guys complain when you don't get good data to chase down abuse
reports.  Your customers need the same data.  The more you can
automate this the cheaper it is to provide.  Additional the more
you inform your customers, the better they will feel about you as
a ISP, and the less abuse reports you will get from external sources
as a compromised box can do anything.  It's in your long term
interests to get that compromised box fixed / removed.

Yes, there will be setup / development costs.


wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE
and kept for ~30mins (just guessing) in a circular buffer be 'good enough'
to present a pretty clear UI to the user?

ip/mac/vendor sending (webtraffic|email|probes) to destination-name
[checkbox]
<repeat>


select those youd' like to block [clickhere]

This really doesn't seem hard, to present in a fairly straight forward
manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something
similar to this approach... but on the other hand:
  "At least my ISP isn't snooping on all my traffic"



-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: