North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]

  • From: Luke S Crawford
  • Date: Fri Dec 19 22:03:57 2008

Randy Bush <randy@xxxxxxx> writes:

> be specific, like "if you run X tools the payoff will be Y."

Yes.  And where is the appropriate form for this?    I find this
sort of thing quite interesting;  and yeah, it doesn't seem like the
sort of thing NANOG is for, but most of the small ISP forms
(like webhostingtalk, etc...) well, the average technical skill level
seems to be ridicioulously low.  

Some people talk about ways to give spammers only one 'whack' at
your service, such as requesting a faxed ID ahead of time, or putting more
effort into preventing credit card fraud.

Me, my focus has been on detecting abuse from my customers before the
rest of the world starts complaining.   

speaking as a small provider, I can tell you that I find running snort
against my inbound traffic does reduce the cost of running an abuse desk.
I do catch offenders before I get abuse@ complaints, sometimes.  

Granted, my snort-fu is not awesome. just the other week I was reminded that
I wasn't even checking for ssh dictionary attacks.  There is a lot more work
i need to do with snort before I can have it automatically switch off 
customers, or notify me at a high priority, rather than writing to a log
I read once every few days.    Still, I think I am on the right track,
as even with my poor, neglected snort setup I still catch some problems
before I get complaints.  

I don't see anyone else talking about doing anything
similar... Everyone else seems to be focused on preventing spammers 
from signing up or going after them after the fact.   

It seems to me that some effort into detecting abuse as it happens 
(rather than waiting for an abuse@ complaint, something that, in my experience
takes a rather large amount of abuse to trigger.)  could yield quite a lot
of 'low hanging fruit' simply because not much effort has been put
out in that direction.  

On the other hand, I have a hard time believing I'm smarter than the guys 
running ec2.  So maybe I'm missing something, and it's really not actually 
any cheaper than manning the abuse@ desk with a bunch of grunts.  Or
maybe other people are already doing this, and I've just missed the 
conversation.  
  
Maybe even if you tune snort optimally, it still can't detect enough of the
attacks to be useful?