North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hi, we're from the government and we're here to help (long)

  • From: Chris Brenton
  • Date: Mon Mar 13 05:21:37 2000

Howdy all,

Patrick Greenwell wrote:
> Suddenly, the list got very, very quiet. In fact, since I posted that
> message, there hasn't been a single post to the list. Emperically, this
> suggests to me that while everyone is quick to spend countless
> hours expressing an opinion on mailing lists, there is nobody willing to
> invest in making this happen.

I recently because associated with a security group working out of
Dartmouth College. The focus of this group has not only been on internal
security but issues that effect the Internet as a whole. The group
already has a pretty good amount of funding. I could probably score
enough backing and office space for a NOC that could address the issues
that are being discussed. While I doubt I could raise the $50M someone
suggested earlier, I could probably come up with enough for equipment, a
small staff and to maintain a number of guru types on a consulting

Let me run though what I'm thinking and ask people to either critique or
tell me I'm out in left field.

I'm thinking of an organization that has a front end similar to GIAC. If
you are unfamiliar with GIAC check out:

GIAC provides a location for people to submit log entries and intrusion
reports. The cool thing is there are a number of analysts (myself
included) that volunteer their time to answer questions and help people
understand what they are looking at. The important thing here is that
people receive immediate (or close to immediate) replies to their
queries. If a person has questions regarding some suspicious log
entries, they can run it past the team of analysts to see what they

Anything that looks interesting is then sanitized and recorded. The
results are then posted to the Web site for all to review. This gives
people a resource to consult when they are trying to figure out who or
what is whacking away at their perimeter. The only thing missing at GIAC
is a seachable archive which would be cool for referencing source IP
addresses and target ports. This would also provide a real time alert
mechanism as to what kinds of threats are making the rounds.

The real strength in this kind of a setup is the ability to correlate
attack patterns from multiple targets. While there are groups doing this
today, the information is not made public (at least not that I've been
able to find). A while back there where a few posts on the Incident list
from a number of ISPs. One or two basically came right out and stated
that they get so many incident reports that one or two reports on any
individual user does not necessarily mean they will take some kind of
action. I'm thinking that if the above collected data is being
correlated, we have a much better chance of spotting larger trends and
getting the bad guys shut down.

I'm also thinking that this organization could act as a central point of
contact in responding to events. There was a comment thrown out about
how it can be difficult to figure out who to contact during an
intrusion. Part of this organization's job could be cataloging these
contacts. True the list would probably be outdated is short order, but
at least its a starting point in trying to tie together the source and
target networks. I don't think it would be necessary to list every ISP,
just the major providers. The provider could then take care of dealing
with their down stream client.

My fear is that if we do not address these issues as a community,
government/law enforcement will eventually step in and try and take care
of it for us. One way or another these problems have to be addressed,
the question is who is going to do it.

Comments? I don't have all the answers but I'm wondering if people think
this would be a good place to start.

[email protected]

* Multiprotocol Network Design & Troubleshooting
* Mastering Network Security