North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]

  • From: Seth Mattinen
  • Date: Sat Dec 20 02:49:24 2008

Luke S Crawford wrote:
Randy Bush <[email protected]> writes:

speaking as a small provider, I can tell you that I find running snort
against my inbound traffic does reduce the cost of running an abuse desk.
I do catch offenders before I get [email protected] complaints, sometimes.
unfortunately snort does not really scale to a larger provider.  and,
to the best of my poor knowledge, good open source tools to
black-hole/redirect botted users are not generally
available. universities have some that are good at campus and
enterprise scale.

I can't speak to the scaling of snort (I only eat around 20Mbps,
and snort on a 256Mb Xen VM handles it just fine) but I'm not sure what you are getting at with regards to open-source tools to blackhole or redirect botted users. I mean, we've all got hooks
in our billing system (or some other procedure) to manually disable
abusive (or non-paying) customers now, right? I guess I'm not seeing how it is any harder to have a script watching snort disable the
customer than it is to have freeside disable the customer when they
dont pay their bill.



I suppose it could lead to huge amounts of anger from an existing customer base if automatic cutoffs started showing up one day out of the blue (to their perspective). I automatically disable various things for a whole slew of reasons - but I've been doing it since day one and everyone is aware of it and expects it. Or slowly phase them in with warnings leading up to automated action.


Repetitive, boring tasks are great for computers. I've only ever had one customer (a local advertising agency, who is no longer a customer) cry over automation because they thought they had a "special treatment" clause and didn't need to pay. It sent them warnings, of course, but they thought those didn't apply to them either. Automation isn't for everyone.

I like automation. It has rules and follows them. The rules are posted ahead of time for all to see. Most of the time people are happy to see the automated system put a stop to some kind of potential disaster before it has time to cause more damage. It's like your credit card company calling you because suddenly there's abnormal charges on your card.

~Seth