-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 in-line:
Jordan Medlen wrote: > I'm sure most people on this list have heard of or use snort. There is an > add-on package called snortsam. This package allows automation of blocking > traffic deemed malicious via a null route statement or ACL statement. We > have been in the process over the last month of implementing this on our > network with much success. I think the only problem that we have had with it > thus far is underestimating just how well it was actually going to work. As > with any snort implementation, it takes time to tweak and tune the rule > sets, however we have managed to kill a huge amount of traffic either coming > from our customers or destined to our customers. While this is not a perfect > system, it is much better than idly sitting there and letting the abuse > continue. - ------------------------- One thing would be nice (maybe a wish-list) if snortsam could send an e-mail notification (similar to other proactive tools) rather than pushing for ACL change which could possibly break something due to FP. This could lead to a headless chicken syndrome scenario. Also where I come from, we cannot implement change(s) to any P1/P2 (business critical) devices w/o a change management request except for emergencies. regards, /virendra > > --- > Jordan Medlen > Chief Technology Officer and Architect > Sago Networks > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Michael Nicks > Sent: Sunday, August 13, 2006 2:07 PM > To: [EMAIL PROTECTED] > Subject: Re: [Full-disclosure] what can be done with botnet C&C's? > > > I hate to stir the flames again, but this idea sounds a lot like RBLs. :) > > All kidding aside, I'm curious as to when we will reach the point where the > devices of our networks will be able to share information regarding sporadic > bursts or predefined traffic patterns in network traffic within a certain > time frame, determine it is a related outgoing (or incoming) attack, and > mitigate/stop the traffic. I think it certainly is possible to accomplish > this on a per-router level, but being able to have the devices communicate > and share information between one another is a completely separate thing. > (New protocol perhaps.) > > The only real method that I really have in my toolkit to stop incoming DDoS > on a AS-wide perspective is originating a /32 within an AS with a next-hop > of a discard interface. > > Something similar to that nature but more flexible and designed for the sole > purpose of preventing/stopping abuse would be a very nice feature. > > Cheers. > -Michael > > -- > Michael Nicks > Network Engineer > KanREN > e: [EMAIL PROTECTED] > o: +1-785-856-9800 x221 > m: +1-913-378-6516 > > Payam Tarverdyan Chychi wrote: >> I've been reading on this subject for the last several weeks and it >> seems as if everyone just like to come up with out of the box ideas >> that are not realistic for today's network environments >> >>>> J.Oquendo, thanks for the Smurf example . as there are still >> admins/engineers at large networks that have no clue as to what they >> are doing. so QoS is for sure out of the question.. at least at this >> time. >> >> Depending on agents to take actions and protecting our networks is >> even a bigger joke. Back in late 90s where kiddies were using the >> simplest types of C&C, open wide irc networks with visible Channels >> and no encryptions. and agents couldn't do anything unless the attack >> was big enough to take down Amazon, yahoo, Microsoft or some other >> major provider with enough $$$ to start an investigation. >> >> So what makes you think that agents are of any help in today's world >> where c&c have gotten so much more sophisticated, use backup private >> servers, encryption, tunneling and much much more.. >> >> In my opinion, the only way to really start cracking down on c&c and >> put an end to it is the cooperation of major ISP's. I realize that >> most isp's cant/wont setup a security team to just investigate c&c / >> attacks (would this really fall under the Abuse team?) but perhaps If >> all major networks worked together and created a active db list of c&c >> found either on their networks or attacking ones network. then it >> would be much much easier to trace back c&c and dispose of them. >> >> Unfortunately, we don't live in a perfect world and most isp's hate >> sharing any information. I guess its better for them to have a bigger >> ego than a safer / more stable network. >> >> Please feel free to correct me if I am wrong. >> >> -Payam > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE5LdspbZvCIJx1bcRAk04AJ9bsdHfeGY/8bo+CFFyPCNBIYLAxwCaAqv/ 0v8mDACXHUBiSQAtBgZ0p0g= =yOnO -----END PGP SIGNATURE-----
