What could have been done differently?
Eliot Lear
lear at cisco.com
Tue Jan 28 13:13:51 UTC 2003
Sean,
Ultimately, all mass-distributed software is vulnerable to software
bugs. Much as we all like to bash Microsoft, the same problem can and
has occurred through buffer overruns.
One thing that companies can do to mitigate a failure is to detect it
faster, and stop the source. Since you don't know what the failure will
look like, the best you can do is determine what is ``nominal'' through
profiling, and use IDSes to report to NOCs for considered action.
There are two reasons companies don't want to do this:
1. It's hard (and expensive). Profiling nominal means installing IDSes
everywhere in one's environment at a time when you think things are
actually working and making assumptions that *other* behavior is to be
reported. Worse, network behavior is often cyclical, and you need to
know how that cycle will impact what is nominal. Indeed you can have a
daily, weekly, monthly, quarterly, and annual cycle. Add to this
ongoing software deployment and you have something of a moving target.
2. It doesn't solve all attacks. Only attacks that break the profile
will be captured. Those are going to be those that use new or unusual
ports, existing "bad" signatures, or excessive bandwidth.
On the other hand, in *some* environments, IDS and an active NOC may
improve predictability by reducing time needed to diagnose the problem.
Who knows? Perhaps some people did benefit through these methods.
I'm very curious in netmatrix's view of the whole matter, as compared to
comparable events. NANOG presentation, Peter?
Eliot
More information about the NANOG
mailing list