North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Arbor Networks DoS defense product
> What about timing? What about breaking up > segements of the network to be scanned by different hosts? Its realy a matter of getting a sizable 'line mine net' up. With dshield, I hope to ultimately have a couple in each AS, probably with some local aggregation. The trick is that you use other people's line mines. It doesn't help you to use your own. Scan & exploit often come in one package so by the time you figure out you are scanned, you probably already lost a few hosts. The trick with distributed (or 'collaborative' as I think it is better called) intrusion detection is that whoever gets scanned first tells everyone else. Also: This has to be automated. Because whoever gets hit first is probably too busy cleaning up to worry about posting all the gorry details on this or any other list. > How many > hits on the linemines constitute blocking? Are you blocking hosts or > networks? up to you... Setting too much of a policy would make the system predictable and vulnerable. (attacker knows: only scan 99 hosts from each zombie...) > Either way, what about dynamic ips? blocking a network will take care of them. Other than that: for a DSL/cable line the IP will not change much, and for a dialup line they would have to hangup&dial a lot to get a good IP distribution. > What about scans done > from different networks other than that which the supposed attacker is > originating from. Well, then these networks are marked as "attackers", which is ok. The can clean up their systems and enjoy full access again. > Its Universitys, unsecured wireless lans, etc. same thing: if you run an unsecured wireless network, maybe you shouldn't have given it access to the net in the first place.
|