It would be useful if these sites allowed you to query them with CIDR ranges to
see if your site had originated any traffic that triggered their sensor arrays. The
IDS community never seems to have wrapped its collective head around routing
information. Looking up single IP addrs is just cosmetic. A real service would
allow for concerned sites to check their entire address allocations.
The solution we have takes a massive amount of data munging of a routing
table and is still experimental, but until attacks can be mapped to meaningful Internet
topographical information, the real value of these distributed IDS efforts cannot be fully
exploited.
I can forsee the argument that people shouldn't be able to look up other sites
which might be compromised, but if they are really so concerned, they should
get their sites patched.
here's what i learned about a white-hat registry. nobody cares. this is
perceived as an assymetric benefit, where the costs (even if there's no
money, there's still effort in registering initial and new address space
or AS#'s or whatever) are borne by the network owner and the benefits are
felt by victims of various forms of abuse (spam, ddos, virus, whatever.)
now, anyone who thinks this through will realize that the benefit is NOT
assymetric. this is a tide (storm) that can lift (destroy) all boats. a
network owner who deals swiftly with abuse becomes an anathema for abusers
and thus has lower overall abuse costs. and a network of network-owners
who all behaved that way would make abuse rare enough to be worth tracking
again.
however, from a marketing/perception standpoint, the benefit appears to
be assymetric, and in this economy, network owners don't feel generous.
so the first task isn't upgrading incidents.org or mail-abuse.org to
handle white-hat network owner registration, but rather, convincing
network owners that it's in their own selfish best interests to receive
rapid and reliable complaints when abuse comes from/through their customer.
and frankly, if that were possible, the abuse@${MOST_ISPS} would not be
a blackhole with robothanks at the door. so, i'm not hopeful that the
internet's immune system is simply in need of better incident reporting.
we need a "sea change" in network-owner attitudes. if you're feeling
holier than thou for any reason, find out if your peering agreements
require your peers to permanently disconnect repeat abuse sources, and
to temporarily disconnect first time abuse sources. assuming that $YOU
do these things, but that $YOUR_PEERS do not, then what have you really
accomplished?
As far as reporting is concerned, we do have a number of ways you can
query our DShield data. First of all, by prefix (right now only /8, /16,
/24). But we do send out daily custom reports per request. Just send me
an e-mail.
There is also a test version of a report by ASN: http://www.dshield.org/asreport.php
its experimental and feedback is welcome. It is setup to be machine
parsable.
On Wed, 12 Nov 2003 18:56:50 EST, Jamie Reid <Jamie.Reid@mbs.gov.on.ca> said:
It would be useful if these sites allowed you to query them with CIDR ranges
to see if your site had originated any traffic that triggered their sensor
array
I've always wondered how to do this securely in an ad-hoc manner.
The guys at MAPS send me a report once a week of stuff that's in my
netblocks, but that involved contacting them and presumably at least
some verification that I was affiliated with the netblocks.
How do you prevent Joe Scriptkid from asking it "what vulnerable machines
are coming out of ASrandom"?