White House to Propose System for Wide Monitoring of Internet (fwd)

batz batsy at vapour.net
Mon Dec 23 18:26:16 UTC 2002

On Sun, 22 Dec 2002, Sean Donelan wrote:

:On any major backbone the IDS function becomes
:GlobalIDSFunction() {
:   While (1) {
:	printf("Attack Detected!");
:   }
:Do you really want an automatic wiretap installed on your line
:every time an attack is detected?  Have you recently connected a
:system to the Internet that hasn't been attacked?

It depends on the attack you are looking for. All signatures are not
created equal. Also, the actual logic is a little more like:

For each attack_source_ip, if all attacks in attack_source are 
the same, send low alert. If attacks from any single attack_source 
are different, with a range of more than 2 distinct attacks, 
look into it. attack_source can be anything from a /32 to a /24, 
with monthly reports breaking it down into the diversity of attacks
originating from certain ASN's so that followup can be done with 
the ISP. 

The idea being that you only respond to incidents where followup 
may yeild meaningful results. Those incidents can be recognized
by the diversity of attacks originating from a single area and
followed up based on their ISP. The diversity of attacks will 
provide compelling evidence that there is someone making a 
concerted effort to crack a network, instead of just worm 

You will miss script kids that bounce all over their compromised 
machines around the world, but even if you collected all the information
about those attacks, there is little value in tracking them down anyway.
The interjurisdictional administrative hell makes it more cost 
effective to just lock down your network than to re-enact The Cuckoos 

Back to the law enforcement access issue, they could really just be 
collecting intelligence from the sensors, to inform their decision 
on who to follow up with an investigation on. IDS's aren't as useful 
for giving evidence (IMHO) because there are too many variables
(like asymmetry, log integrity, chain of evidence etc) to take into
account. What they can do very well is tell you where suspicious 
activity is originating from and tell you whether further analysis 
is warranted. eg, whether to have someone sieze the machine as 
physical evidence, as that's where it's all got to come from 
for prosecution anyway, or to monitor that sites traffic for
more information before launching a full seizure. 

So, the value of an IDS, or law enforcement access to IDS-like
devices for sifting information, is to assess who they should be 
investigating, not to be used as an investigative tool by itself. 

As for how they can do it, they can't put it in a core somewhere. 
They would have to put inexpensive ones connected as close 
to the customer equipment as possible. 
This could be at the edge of a CUG as some people call it, or 
as Chris Morrow mentioned, one in each POP. 

As far as doing it at an exchange point, it is still possible to 
redirect all traffic originating from within a large ISP and
destined to a single site through a secondary GigE monitoring 
network. I would be suprised if anyone currently sustains 500Mb/s 
of traffic from one of customers to any single IP address that 
is outside their own network. It doesn't matter if I am wrong, 
as for the purposes of monitoring for further information, 
it still works. 

Adding them to POP's would make sense as there is a geographical
basis for their distribution, something law enforcement likes 
and understands quite well, as that's how their jurisdictions
are laid out. 

The reason I am persuing this is that I would hate for 
people to waste their energy insisting that ubiquitous intelligence
and law enforcement access to Internet traffic is impossible. 

It can be made very possible, just not in the way, or for the 
same reasons, some people might imagine it. 


More information about the NANOG mailing list