What about timing? What about breaking up
segements of the network to be scanned by different hosts?
Its realy a matter of getting a sizable 'line mine net' up. With
dshield, I hope to ultimately have a couple in each AS, probably with
The trick is that you use other people's line mines. It doesn't help you
to use your own. Scan & exploit often come in one package so by the time
you figure out you are scanned, you probably already lost a few hosts.
The trick with distributed (or 'collaborative' as I think it is better
called) intrusion detection is that whoever gets scanned first tells
Also: This has to be automated. Because whoever gets hit first is
probably too busy cleaning up to worry about posting all the gorry
details on this or any other list.
hits on the linemines constitute blocking? Are you blocking hosts or
up to you... Setting too much of a policy would make the system
predictable and vulnerable. (attacker knows: only scan 99 hosts from
Either way, what about dynamic ips?
blocking a network will take care of them. Other than that: for a
DSL/cable line the IP will not change much, and for a dialup line they
would have to hangup&dial a lot to get a good IP distribution.
What about scans done
from different networks other than that which the supposed attacker is
Well, then these networks are marked as "attackers", which is ok. The
can clean up their systems and enjoy full access again.
Its Universitys, unsecured wireless lans, etc.
same thing: if you run an unsecured wireless network, maybe you
shouldn't have given it access to the net in the first place.