Krebs on Security booted off Akamai network after DDoS attack proves pricey

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <CAL9jLaZNBP9GWFzHnB1AGG8MRnK3dH=qeQb_KeigKc198zDaJw at mail.gmail.com>, Christopher Morrow writes:
> On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka at isc.org> wrote:
> 
> >
> > Giving them real time access to the anomalous traffic log feed for
> > their residence would also help.  They or the specialist they bring
> > in will be able to use that to trace back the problem.
> >
> >
> wouldn't this work better as a standard bit of CPE software capability?

While this would be useful, it is not sufficient.  This may or may
not match what the ISP is detecting and basing its reports to the
customer on.

Such a feed could also include MTA logs for email nominally from
the customer. etc.   If we want customers to clean up networks, use
of the ISP's services, they need to be able to see what is going
wrong as far as the ISP is concerned.

You guys complain when you don't get good data to chase down abuse
reports.  Your customers need the same data.  The more you can
automate this the cheaper it is to provide.  Additional the more
you inform your customers, the better they will feel about you as
a ISP, and the less abuse reports you will get from external sources
as a compromised box can do anything.  It's in your long term
interests to get that compromised box fixed / removed.

Yes, there will be setup / development costs.

> wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE
> and kept for ~30mins (just guessing) in a circular buffer be 'good enough'
> to present a pretty clear UI to the user?
> 
> ip/mac/vendor sending (webtraffic|email|probes) to destination-name
> [checkbox]
> <repeat>
> 
> 
> select those youd' like to block [clickhere]
> 
> This really doesn't seem hard, to present in a fairly straight forward
> manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something
> similar to this approach... but on the other hand:
>   "At least my ISP isn't snooping on all my traffic"
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]