advise on network security report

Gadi Evron ge at
Wed Nov 1 08:36:24 UTC 2006

On Tue, 31 Oct 2006, Rick Wesson wrote:
> I beg to differ, wither I aggregate my announcements does not impact the 
> $50B charge identity theft puts on the US economy.
> would it assist if I associated a dollar value for each bot hosted, we 
> can estimate the number of credit cards stolen per bot and extrapolate 
> in to something with some zeros on it.

I experimented with a lot of topics on NANOG which the charter suggests,
and found that botnets and $-value only work if they directly impact an
ISP (not its users or immense corporate networks), meaning - something
which helps/stops an ISP from running. I.e., $$$ loss to the ISP.

$ value to the US economy just fascilitates faster move toward the usual
and inevitable forking of the thread and flaming.

> > Sharing summaries to communities like dshield, NSP-SEC, DA, SANs and
> > other security mitigation communities along with a subscription web page
> > that would allow an organization to get enough details to take action.
> nsp-sec players still won't let us in their sand-box... but we will 
> share to the communities you have enumerated.

You heard what people here want/don't want, do your thing. From my
experience, you also got about 10-20 emails off-list, in support. Most
flames come on-list.

Openly available data that will show us which networks we need to worry
about will be valuable.

In the C&C report we now have "networks with 100% resolved". Two years ago
we wouldn't have even considered that category. We didn't even consider
using exact numbers due to "help bad guys scare". We quantified it, found
out what's useful (what ISPs want/ISPs REALLY don't want), and what
would be useless.

Of your data, do you have information which can tell us what ISPs keep
sending out spam despite of continued listing/reporting? Can you tell us
what ISPs do real good work?

A not-too-often coming report would be very interesting, especially
because it is public, if you can make it reliable. For more exact and
regular figures, I'd say go with a private feed.

It is possible we are all wrong. Start with once a month and grow to even
once a day if we find it's just what we have all been looking for.

> -rick


More information about the NANOG mailing list