Auto ACL blocker

Brian R. Watters brwatters at absfoc.com
Tue Jan 18 21:13:55 UTC 2011


Agreed, time to live in the ACL is critical as well .. this is primary to be used to stop sweeps and penetration testing .. We have SNORT deployed now but the process is still manual on the back end and of course does not respond in the time required. 

----- Original Message -----
From: " Dorn Hetzel " < dorn @ hetzel .org> 
To: "Brian R. Watters " < brwatters @ absfoc .com> 
Cc: nanog @ nanog .org, "Ronald Bonica " < rbonica @juniper.net> 
Sent: Tuesday, January 18, 2011 1:01:43 PM 
Subject: Re: Auto ACL blocker 



One suspects this sort of automated defense should only be used against attack styles that eliminate the likelihood of a forged source ip and that the acl needs to be pruned and compacted for size. Nearby bad ips can be collected into a larger mask but there is then risk of collateral damage (how many bad source ips in a /24 or whatever before you nuke the whole thing for a while? Does the length of a prefixes "rap sheet" change its treatment? Etc) 
On Jan 18, 2011 3:03 PM, "Brian R. Watters " < brwatters @ absfoc .com > wrote: 
> Ron, 
> 
> I am sure any solution given enough time could be used against you, However my hope was that a whitelist could help in that regard however I know your correct. 
> 
> 
> ----- Original Message ----- 
> From: "Ronald Bonica " < rbonica @juniper.net > 
> To: "Brian R. Watters " < brwatters @ absfoc .com >, nanog @ nanog .org 
> Sent: Tuesday, January 18, 2011 11:55:28 AM 
> Subject: RE: Auto ACL blocker 
> 
> Brian, 
> 
> Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you? 
> 
> Ron 
> 
>> -----Original Message----- 
>> From: Brian R. Watters [ mailto : brwatters @ absfoc .com ] 
>> Sent: Tuesday, January 18, 2011 2:12 PM 
>> To: nanog @ nanog .org 
>> Subject: Auto ACL blocker 
>> 
>> We are looking for the following solution. 
>> 
>> Honey pot that collects attacks against SSH/FTP and so on 
>> 
>> Said attacks are then sent to a master ACL on a edge Cisco router to 
>> block all traffic from these offenders .. 
>> 
>> Of course we would require a master whitelist as well as to not be 
>> blocked from our own networks. 
>> 
>> Any current solutions or ideas ?? 
>> 
>> -- 
>> 
>> BRW 
> 
> -- 
> 
> Brian R. Watters 
> Director 
> American Broadband Family of Companies 
> 5718 East Shields Ave 
> Fresno, CA. 93727 
> brwatters @ absfoc .com 
> http :// www . americanbroadbandservice .com 
> tel: 559-420-0205 
> fax:559-272-5266 
> toll free: 866-827-4638 
> 
> ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. 
> 
> This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation. 
> 


-- 

Brian R. Watters 
Director 
American Broadband Family of Companies 
5718 East Shields Ave 
Fresno, CA. 93727 
brwatters @ absfoc .com 
http :// www . americanbroadbandservice .com 
tel: 559-420-0205 
fax:559-272-5266 
toll free: 866-827-4638 

ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. 

This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation. 



More information about the NANOG mailing list