North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hi, we're from the government and we're here to help (long)

  • From: Chris Brenton
  • Date: Tue Mar 14 17:36:43 2000

Patrick Greenwell wrote:
> 
> I think it is an intersting idea, however I believe it somewhat misses the
> point. While a "clearinghouse" is indeed a potentially useful entity, my
> suggestion centers more around actually getting NOCs to talk to each other
> and come up with a common approach to event handling.

My thinking is that its not just ISP's that have problems with reaching
the proper security contact at another ISP, but end user networks as
well. A central point of contact could help facilitate both sets of
communications. 

My experience has been that its usually pretty rare for an organization
to contact their local ISP when a security problem occurs. Typically its
the ISP at the other end of the connection that gets contacted because
they are in the best position to do something about the attack.

Of course you can't easily ID the source with many attack patterns, thus
the need to come up with some kind of a formal handling procedure. My
gut is that this would be easier to facilitate through a central point
of contact rather than dealing with a distributed model where everyone
needs some method of staying in sync.

> My 100,000 foot view tells me the problem is not security, it is a lack
> of communication between providers. Enable that, then a reasonable stab
> can be made at semi-cohesive security alert notification.

Kind of funny that the largest communication infrastructure has actually
caused its on set of communication problems. ;)

I agree the problem is not security per se, but in addition to
communication its also a data resource problem. Unless you are logging
everything that coming out of your network, its difficult to keep track
of who is doing what. Thus the "clearing house" idea as a central point
of data collection. I know that as part of GIAC we've been successful in
helping to pin down a number of purps as well as compromised systems
just by being able to correlate data from multiple targets. This makes
it much easier to see patterns.

Its also a good way to get the scoop on what's going down both positive
and negative. For example I've seen a number of domains mistake the 3DNS
probes for attacks and kill all connectivity with the source network. By
keeping the community at large in the loop as to what was really going
on, we where able to clarify some misconceptions.

> Absolutely correct. The infrastructure is beginning to generate far too
> much revenue to be ignored anymore.

Agreed, although based on the lack of interest in my original post I
don't see it getting addressed in short order. 

Thanks!
Chris
-- 
**************************************
cbrenton@sover.net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet