North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: The Internet's Immune System
It would be useful if these sites allowed you to query them with CIDR ranges to see if your site had originated any traffic that triggered their sensor arrays. The IDS community never seems to have wrapped its collective head around routing information. Looking up single IP addrs is just cosmetic. A real service would allow for concerned sites to check their entire address allocations. The solution we have takes a massive amount of data munging of a routing table and is still experimental, but until attacks can be mapped to meaningful Internet topographical information, the real value of these distributed IDS efforts cannot be fully exploited. I can forsee the argument that people shouldn't be able to look up other sites which might be compromised, but if they are really so concerned, they should get their sites patched. -- Jamie.Reid, CISSP, [email protected] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> "Bryan Bradsby" <[email protected]> 11/12/03 04:25pm >>> > Devise a system that assumes owners of IP space WANT to know about problems. > report --open-proxy 192.168.1.1 <logfiles > and have a report sent to whoever needed to know about it. http://www.Incidents.org http://www.Dshield.org/howto.php http://www.MyNetWatchman.com -bryan bradsby <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD> <BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>It would be useful if these sites allowed you to query them with CIDR ranges to </FONT></DIV> <DIV><FONT size=1>see if your site had originated any traffic that triggered their sensor arrays. The </FONT></DIV> <DIV><FONT size=1>IDS community never seems to have wrapped its collective head around routing </FONT></DIV> <DIV><FONT size=1>information. Looking up single IP addrs is just cosmetic. A real service would </FONT></DIV> <DIV><FONT size=1>allow for concerned sites to check their entire address allocations. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>The solution we have takes a massive amount of data munging of a routing</FONT></DIV> <DIV><FONT size=1>table and is still experimental, but until attacks can be mapped to meaningful Internet</FONT></DIV> <DIV><FONT size=1>topographical information, the real value of these distributed IDS efforts cannot be fully </FONT></DIV> <DIV><FONT size=1>exploited. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>I can forsee the argument that people shouldn't be able to look up other sites</FONT></DIV> <DIV><FONT size=1>which might be compromised, but if they are really so concerned, they should </FONT></DIV> <DIV><FONT size=1>get their sites patched. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV><FONT size=1></FONT> <DIV><BR> </DIV> <DIV> </DIV> <DIV>--<BR>Jamie.Reid, CISSP, <A href="mailto:[email protected]">[email protected]</A><BR>Senior Security Specialist, Information Protection Centre <BR>Corporate Security, MBS <BR>416 327 2324 <BR>>>> "Bryan Bradsby" <[email protected]> 11/12/03 04:25pm >>><BR><BR>> Devise a system that assumes owners of IP space WANT to know about problems.<BR>> report --open-proxy 192.168.1.1 <logfiles<BR>> and have a report sent to whoever needed to know about it.<BR><BR><A href="http://www.Incidents.org">http://www.Incidents.org</A><BR><A href="http://www.Dshield.org/howto.php">http://www.Dshield.org/howto.php</A><BR><A href="http://www.MyNetWatchman.com">http://www.MyNetWatchman.com</A><BR><BR>-bryan bradsby<BR><BR></DIV></BODY></HTML>
|