North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]
Randy Bush <randy@xxxxxxx> writes: > be specific, like "if you run X tools the payoff will be Y." Yes. And where is the appropriate form for this? I find this sort of thing quite interesting; and yeah, it doesn't seem like the sort of thing NANOG is for, but most of the small ISP forms (like webhostingtalk, etc...) well, the average technical skill level seems to be ridicioulously low. Some people talk about ways to give spammers only one 'whack' at your service, such as requesting a faxed ID ahead of time, or putting more effort into preventing credit card fraud. Me, my focus has been on detecting abuse from my customers before the rest of the world starts complaining. speaking as a small provider, I can tell you that I find running snort against my inbound traffic does reduce the cost of running an abuse desk. I do catch offenders before I get abuse@ complaints, sometimes. Granted, my snort-fu is not awesome. just the other week I was reminded that I wasn't even checking for ssh dictionary attacks. There is a lot more work i need to do with snort before I can have it automatically switch off customers, or notify me at a high priority, rather than writing to a log I read once every few days. Still, I think I am on the right track, as even with my poor, neglected snort setup I still catch some problems before I get complaints. I don't see anyone else talking about doing anything similar... Everyone else seems to be focused on preventing spammers from signing up or going after them after the fact. It seems to me that some effort into detecting abuse as it happens (rather than waiting for an abuse@ complaint, something that, in my experience takes a rather large amount of abuse to trigger.) could yield quite a lot of 'low hanging fruit' simply because not much effort has been put out in that direction. On the other hand, I have a hard time believing I'm smarter than the guys running ec2. So maybe I'm missing something, and it's really not actually any cheaper than manning the abuse@ desk with a bunch of grunts. Or maybe other people are already doing this, and I've just missed the conversation. Maybe even if you tune snort optimally, it still can't detect enough of the attacks to be useful?