[CLUE-Tech] Brute force attack from host 208.188.115.21

[Glen Newell]

A distributed database that could be 
> automagically added to when one system "inappropriately" touches 
another 
> system.  The information on the "touch" as well as the source are 
added 
> to the distributed system.  Then, subscribers to the information 
could 
> use it to decide how to handle incoming traffic from those IPs.  
Seems 
> like it would shut down someone probing rather quickly - in effect, a 
> large part of the net would disappear.
> 

disappear is just about the right word...

- 'spam databases' just dont work all that well yet, IMHO...still 
pretty labor intensive and too many 'false positives' and so on...
- There are *many* IT professionals that use probes/scans for 
legitimate research and troubleshooting. Not to mention scans of one's 
own IP space that could be 'automagically' interpereted as malicous, 
shutting down an entire enterprise backbone. So how do 
you 'automagically' determine what is 'inappropriate touching'??
- It's too easy to fake 'from' ip addresses, and too common a tactic. 
in order to block the truly malicious scans, you'd want to be able to 
find the *actual* source, which requires at least in part, the 
technique you're trying to prevent.

Don't get me wrong- I'm definitely in favor of tracking and catching 
the bad guys, but I think any kind of 'automatic' process is going too 
far- it seems impractical and could too easily lead to more harm than 
good. What MIGHT work, and is already partially in place is a sort of 
network of sysadmins and netsec pros that share log analysis resources. 
ie: if I find suspicious activities in my IDS/firewall logs, I check it 
against an existing source ( there are many available), then add it to 
a collected database for further analysis and distribution. The more 
people contribute (either by adding logs, or by doing the research) the 
better and faster this will work...

okay- stepping off my orange crate now...

G