Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]

Sean Donelan sean at
Sun Dec 21 23:34:42 UTC 2008

On Sat, 20 Dec 2008, Randy Bush wrote:
> unfortunately snort does not really scale to a larger provider.  and, to the 
> best of my poor knowledge, good open source tools to black-hole/redirect 
> botted users are not generally available. universities have some that are 
> good at campus and enterprise scale.
> cymru and a few security researchers responded privately to my plea for solid 
> open source tool sets and refs.  knowing the folk involved, maybe we'll see 
> some motion.  patience is a virtue, within limits.

Pretty much the same thing I've been telling "security vendors" since 
2003.  In 2003 the hard problem wasn't, and still isn't, detection (IDS, 
AV scanners, honeypots, etc), its customer remediation (fixing things). 
Unfortunately, if all you are selling are hammers....  A security vendor's 
sale person concept of "scaling" is "more commission."

You may need to leave the network engineer's world and start talking to
the customer care engineer's side of the house. Its a different set of
systems, and a different set of scaling issues. How do you notify 50 
million customers about an issue?  Marketing people probably know how to 
do it better than network engineers.

1. Add flags to your customer support systems about different customer 
status, so when customers contact your call centers the agents can start
on the best script for "known" problems.

2. Include customer status flags on your portals (details behind some 
level of authentication in case the account is being shared).

3. Obtain and communicate with your customers through multiple channels
respecting their preferences (e.g. e-mail, alternate e-mail, postal mail,
telephone).  Even non-US ISPs may want to look at the US FTC "red flag" 

Why do I mention those things?  Because I've found out (mostly the hard
way) the remediation part of the process is the bottleneck.  It doesn't
matter how many bad things you detect, if you can only fix a limited
number at a time. Detecting stuff below the remediation threshold is 
going to be wasted; and those resources probably would have been better 
used for more remediation efforts.

Yes, the bad guys may know that too.  But if we got to the point where the 
bad guys actually worry about staying below the remediation threshold; 
that would be more progress than now.

Hint: if you could prove to a large ISP you could shave 60 seconds off the 
average customer care call by fixing security problems faster; they would 
probably be beating down your door begging for it.

More information about the NANOG mailing list