DSL-IP Probes Curiousity..
batz
batsy at vapour.net
Fri Mar 14 07:17:02 UTC 2003
On Thu, 13 Mar 2003, McBurnett, Jim wrote:
:Will anyone answer this? I know you may not be
:able to comment due to legal concerns.. But I am curious..
I can answer, I just can't tell you who I do it for. ;) (the point
of the nickname, but I digress)
Short answer is: the larger the victim network, the less
likely a portscans will be followed up due to the increased
probability of being part of some worms random propagation
pattern, or the introduction of factors caused by the size
of the network.
What I have been trying to get done is a way of sorting
incoming attacks by netblock, so that cases can be built against
those netblocks (eventually ASNs ideally) . We can go to the ISP
with the alerts originating from them over a period of time, and
show that someone is making a concerted effort to violate our
network policies, and be able to provide them with ample evidence
instead of the cheesy dumps of isolated portscan alerts from IDS's
that they usually get.
Interestingly, the IDS alert sorting interfaces that I have seen
(cisco, iss, snort, acid, intellitactics etc.) do not seem to be
CIDR aware, or aware in a meaningful way which would facillitate
the kind of follow-up I just described.
They sort by lots of internal flags (src, dst, severity, type)
but they do not allow the aggregation of sources to enable the
co-ordination of a response with the offending network. It's like
they designed the software without understanding the value of the
information it was generating. The one blind spot in the query
types you can do on them is the one thing that would make them
generate valuable information. It's kind of a joke really.
(If any of those vendors are listening, I just gave you a million
dollar improvement to your product. Contact me off list on where to send
that bottle of Macallan, or for a good charity to donate to.)
So, as for your question, the answer is: maybe.
Cheers,
--
batz
More information about the NANOG
mailing list