[Dshield] Possible solution for ISP (was DShield's public goals)

Tom dshield at oitc.com
Fri Jan 13 19:34:51 GMT 2006


Ed,

Although I agree in part, an automated process of capturing data on 
intrusion attempts and analyzing is much less labor intensive than 
responding to human generated reports (which have their own issues of 
false positives and axes to grind). Less labor could mean a high 
probability of doing something and the entire process could be highly 
automated.

Tom

At 11:09 AM -0600 1/13/06, ed.truitt at etee2k.net wrote:
>Yes, good analysis could separate true "intrusion attempts" from the "false
>positives".  However, if the ISPs don't even have the resources to respond to
>human-generated abuse complaints (which is one of the reasons I no longer send
>them out, except to specific places), why do you think they will take the time
>/ effort to do due diligence here?  I am willing to bet they will simply
>implement a process which says "if the list says the guy is bad, then block
>him, and leave him blocked" -- or else they will ignore the whole thing (sort
>of like they do now.)
>
>-EdT.
>
>Quoting Tom <dshield at oitc.com>:
>
>>Not if they apply good statistical analysis to the data.  They data
>>really contains no "false positives" only false implication of
>>intent. The fact that there was a connection/connection
>>attempt/probes/etc on a port is a fact. Determining that it was not
>>done by mistake (such as a browser user typing http://domian.com:7990
>>instead of of http://domain.com:8080 due to typos) is a separate
>>issue.  Good statistical analysis of the raw data can allow a network
>>owner to find the bad and find those users that are never practicing
>>safe computing and constantly being reinfected and causing problems
>>from the typos and one off port scans.


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
skype: trshaw


More information about the list mailing list