[Dshield] Central Reporting Systems - a comment

Blake McNeill mcneillb at LinkLogger.com
Thu Jul 25 22:51:59 GMT 2002


You are right John and while I'm a much bigger supporter of central
reporting systems then most people would ever know, they tend to lag a bit.
Something like thunder after the lighting where most victims don't live past
the flash to hear the bang.  Code Red was a prime example, by the time it
showed up in a central reporting system, it was to late to really do
anything about preventing yourself from becoming a victim (if you were
vulnerable you were nuked).  Central reporting systems are great for
cleaning up and restoring the net, or perhaps changing your system
configurations to reduce load on your systems if they were not vulnerable in
the first place.  Certainly the other good thing about central reporting
systems is that give those who find solutions or fixes a sense of priority
as to what needs to be done and when or as an example to people as to how
poorly systems and security are maintained and how vulnerable we are because
of that.  We have a global security problem and without central reporting
services we would never really know that (we always suspected it) or be able
to quantify or even really identify what needs to be done.  Central
reporting identified just how big Code Red and Nimda were, which helped jolt
Microsoft into action for example.

Why do I submit logs to DShield.org?  I hope that my logs and those of
others can be used to notify ISP's and system admins of problems on their
networks such that they can be rectified (I don't really want anyone shot (a
couple of people maybe), I just want systems cleaned up).  I also hope that
by submitting logs to a central site that we can see trends or cases of
isolated new attacks or worm testing as a form of advanced warning.

Are IDS's logs the best information for central reporting systems.  I'd
argue not.  IDS's look for signatures, which implies a limitation to already
known attacks.  I wonder how many people missed Code Red II because of it's
slightly different signature, which I'm sure was done on purpose to 'reward'
those that paid attention to details.  A good central reporting system
accepts information from a number of different systems in order to cover the
whole spectrum.  Firewall logs are great for seeing new trends or attacks,
that IDS systems might miss for example or not even get if they sit behind a
blocking firewall.

This morning I asked some people to look into port 17300 traffic, setup some
honey pots and traps etc, but we missed it.  I was distracted last night
doing some forensics on a system which was brought in to me with another
problem, otherwise I might have asked to have the traps setup last night.  I
didn't see any port 17300 traffic on the 17th so now I'm really curious as
to what the IP ranges were for the reporting systems on the 17th (do they
all fall within certain netblocks implying a limit range test?)  Will I get
these answers, I hope too but it will take some time, the difference between
the lighting and the thunder I'm afraid.

Blake


From: "John Hardin" <johnh at aproposretail.com>
>
> Well, isn't the point of having a database to centrally collect all of
> these reports is to have someplace to go to *see* if others are
> experiencing the activity you are?
>





More information about the list mailing list