Quoting Marcus J. Ranum ([EMAIL PROTECTED]): > We've often gotten requests for "firewall reconfiguration" or other types > of "reaction" - what's interesting to me is that all these requests:
How easily could something like a zebra process be integrated with NFR or any other IDS for that matter, to issue null- or re-routes into the local BGP/OSPF mesh? Would that not be a pretty decent way of 'reaction'? > will be limited by the degree of certainty the IDS is able to achieve. If If the IDS detection algorythms incorporate thresholds that show a certain traffic based danger level, something like this would be a nice way to react. During NANOG23 Yehuda Afek gave a talk on deception and sieving to defeat dDoS attacks. A similar approach could be employed here. If the IDS notices something 'strange' it reconfigures the internal mesh to have this specific traffic sent to a sieveing entity which finally decides if this is legitimate traffic or not. This would keep the IDS free to further work on other traffic and false positives would lead to a slowdown but not a complete block. > you've got a 100% accurate diagnosis of the attack and its source then > you _might_ be able to take some steps. If it's not 100% accurate then Here, again. For an IDS to be effective in multi-ingres scenarios, meshed IDSses and the ability to obtain additional information from the border routers would be good start. If my IDS picks up some "suspicious" traffic, I could trace back to my borders, determine if the traffic indeed comes in over the AS its source-IP claims to come from and react based on that. Also if there's a cflow/netflow based backend available to quantify the amount of traffic, my IDS would be able to be much more reactive. > ALERT: SYSALERT, Severity=10, Confidence=10 - your system was > vulnerable to attacks that are being launched against it. OpenBSD > has automatically been installed replacing the copy of Linux that was > on it... :) -- Jonas M Luster -- d-fensive networks, Inc. -- http://www.d-fensive.com
