[CLUE-Tech] Brute force attack from host 208.188.115.21
Glen Newell
skipworthy at realivetech.com
Thu Aug 5 09:15:52 MDT 2004
A distributed database that could be
> automagically added to when one system "inappropriately" touches
another
> system. The information on the "touch" as well as the source are
added
> to the distributed system. Then, subscribers to the information
could
> use it to decide how to handle incoming traffic from those IPs.
Seems
> like it would shut down someone probing rather quickly - in effect, a
> large part of the net would disappear.
>
disappear is just about the right word...
- 'spam databases' just dont work all that well yet, IMHO...still
pretty labor intensive and too many 'false positives' and so on...
- There are *many* IT professionals that use probes/scans for
legitimate research and troubleshooting. Not to mention scans of one's
own IP space that could be 'automagically' interpereted as malicous,
shutting down an entire enterprise backbone. So how do
you 'automagically' determine what is 'inappropriate touching'??
- It's too easy to fake 'from' ip addresses, and too common a tactic.
in order to block the truly malicious scans, you'd want to be able to
find the *actual* source, which requires at least in part, the
technique you're trying to prevent.
Don't get me wrong- I'm definitely in favor of tracking and catching
the bad guys, but I think any kind of 'automatic' process is going too
far- it seems impractical and could too easily lead to more harm than
good. What MIGHT work, and is already partially in place is a sort of
network of sysadmins and netsec pros that share log analysis resources.
ie: if I find suspicious activities in my IDS/firewall logs, I check it
against an existing source ( there are many available), then add it to
a collected database for further analysis and distribution. The more
people contribute (either by adding logs, or by doing the research) the
better and faster this will work...
okay- stepping off my orange crate now...
G
More information about the clue-tech
mailing list