The Internet's Immune System

It would be useful if these sites allowed you to query them with CIDR ranges to
see if your site had originated any traffic that triggered their sensor arrays. The
IDS community never seems to have wrapped its collective head around routing
information. Looking up single IP addrs is just cosmetic. A real service would
allow for concerned sites to check their entire address allocations.

The solution we have takes a massive amount of data munging of a routing
table and is still experimental, but until attacks can be mapped to meaningful Internet
topographical information, the real value of these distributed IDS efforts cannot be fully

I can forsee the argument that people shouldn't be able to look up other sites
which might be compromised, but if they are really so concerned, they should
get their sites patched.

TEXT.htm (2.49 KB)

here's what i learned about a white-hat registry. nobody cares. this is
perceived as an assymetric benefit, where the costs (even if there's no
money, there's still effort in registering initial and new address space
or AS#'s or whatever) are borne by the network owner and the benefits are
felt by victims of various forms of abuse (spam, ddos, virus, whatever.)

now, anyone who thinks this through will realize that the benefit is NOT
assymetric. this is a tide (storm) that can lift (destroy) all boats. a
network owner who deals swiftly with abuse becomes an anathema for abusers
and thus has lower overall abuse costs. and a network of network-owners
who all behaved that way would make abuse rare enough to be worth tracking

however, from a marketing/perception standpoint, the benefit appears to
be assymetric, and in this economy, network owners don't feel generous.
so the first task isn't upgrading or to
handle white-hat network owner registration, but rather, convincing
network owners that it's in their own selfish best interests to receive
rapid and reliable complaints when abuse comes from/through their customer.

and frankly, if that were possible, the abuse@${MOST_ISPS} would not be
a blackhole with robothanks at the door. so, i'm not hopeful that the
internet's immune system is simply in need of better incident reporting.
we need a "sea change" in network-owner attitudes. if you're feeling
holier than thou for any reason, find out if your peering agreements
require your peers to permanently disconnect repeat abuse sources, and
to temporarily disconnect first time abuse sources. assuming that $YOU
do these things, but that $YOUR_PEERS do not, then what have you really

As far as reporting is concerned, we do have a number of ways you can
query our DShield data. First of all, by prefix (right now only /8, /16,
/24). But we do send out daily custom reports per request. Just send me
an e-mail.

There is also a test version of a report by ASN:
its experimental and feedback is welcome. It is setup to be machine

On Wed, 12 Nov 2003 18:56:50 EST, Jamie Reid <> said:

It would be useful if these sites allowed you to query them with CIDR ranges
to see if your site had originated any traffic that triggered their sensor

I've always wondered how to do this securely in an ad-hoc manner.

The guys at MAPS send me a report once a week of stuff that's in my
netblocks, but that involved contacting them and presumably at least
some verification that I was affiliated with the netblocks.

How do you prevent Joe Scriptkid from asking it "what vulnerable machines
are coming out of ASrandom"?

myNetWatchman has a work-in-progress search-by-AS

Unfortunately myNetWatchman is one of the wordt services I have seen. We
can't even get them to send the reports to our abuse address.


I've found that anything marketed starting with "my" is not something
I would ever want to call mine.