The Internet's Immune System

• Previous message (by thread): Portscans/PROXY scans
• Next message (by thread): The Internet's Immune System
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2 Nov 2003, Paul Vixie wrote:

> so listen up.  just because many of the infected hosts won't be disinfected,
> don't assume that there's no value in tracking and reporting them, or that
> there's no reason to spend money listening to and acting on complains about
> them.  the internet's immune system needs *more* resources, not fewer.

I've had an idea kicking around my head since Paul posted this. Most of the
reporting work seems to be centered around finding who to report problems
to.

I think we need to turn the problem around: Devise a system that assumes
owners of IP space WANT to know about problems. In simple terms, a system
that would let me issue a command such as   report --open-proxy 192.168.1.1
(or even          report --open-proxy 192.168.1.1 <logfiles    )
and have a report sent to whoever needed to know about it.

To participate in this, I would have to run a problem-report server that
accepts reports on my IP space. It would be registered with some central
server, that refers problems to the proper server for that IP address, like
DNS.

This might be a NOC to NOC tool, or perhaps useing registered PGP
signatures, reports from other NOCs could have more weight then those from
end users.

In any case, the idea is to allow automated testing based on reports,
aggragation of reports to weed out mistakes and errors, and provide a
mechanisim for various firewalls, intusion detection systems, etc to talk to
each other to solve problems as quickly as possible.

So in the above example, if I receive the report for 192.168.1.1 being an
open proxy, I might have my system configured, because that is a residential
DSL IP, to automaticly do a full port scan on it to look for open proxies,
and if I confirm that it is open shut the line down, or just kick out a
ticket for someone to call the customer. Or, start a netflow analysis on it
to look for virus/worm traffic. Or not do anything until a certain number of
reports are received, weighted based on the ranking of PGP sigs.

Paul's use of the word immune system hit it on the head. An immune system
kicks in automaticly to fight infection, and right now there isn't one on
the net.


==========================================================
Chris Candreva  -- chris at westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

• Previous message (by thread): Portscans/PROXY scans
• Next message (by thread): The Internet's Immune System
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]