nanog mailing list archives
Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]
From: Seth Mattinen <sethm () rollernet us>
Date: Fri, 19 Dec 2008 23:49:03 -0800
Luke S Crawford wrote:
Randy Bush <randy () psg com> writes:speaking as a small provider, I can tell you that I find running snort against my inbound traffic does reduce the cost of running an abuse desk. I do catch offenders before I get abuse@ complaints, sometimes.unfortunately snort does not really scale to a larger provider. and, to the best of my poor knowledge, good open source tools to black-hole/redirect botted users are not generally available. universities have some that are good at campus and enterprise scale.I can't speak to the scaling of snort (I only eat around 20Mbps,and snort on a 256Mb Xen VM handles it just fine) but I'm not sure what you are getting at with regards to open-source tools to blackhole or redirect botted users. I mean, we've all got hooksin our billing system (or some other procedure) to manually disableabusive (or non-paying) customers now, right? I guess I'm not seeing how it is any harder to have a script watching snort disable thecustomer than it is to have freeside disable the customer when they dont pay their bill.
I suppose it could lead to huge amounts of anger from an existing customer base if automatic cutoffs started showing up one day out of the blue (to their perspective). I automatically disable various things for a whole slew of reasons - but I've been doing it since day one and everyone is aware of it and expects it. Or slowly phase them in with warnings leading up to automated action.
Repetitive, boring tasks are great for computers. I've only ever had one customer (a local advertising agency, who is no longer a customer) cry over automation because they thought they had a "special treatment" clause and didn't need to pay. It sent them warnings, of course, but they thought those didn't apply to them either. Automation isn't for everyone.
I like automation. It has rules and follows them. The rules are posted ahead of time for all to see. Most of the time people are happy to see the automated system put a stop to some kind of potential disaster before it has time to cause more damage. It's like your credit card company calling you because suddenly there's abnormal charges on your card.
~Seth
Current thread:
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...], (continued)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Randy Bush (Dec 14)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] JF Mezei (Dec 14)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Gadi Evron (Dec 14)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Christopher Morrow (Dec 14)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Gadi Evron (Dec 15)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Luke S Crawford (Dec 19)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Randy Bush (Dec 19)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Joel Esler (Dec 19)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Nathan Ward (Dec 19)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Luke S Crawford (Dec 19)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Seth Mattinen (Dec 19)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Brandon Galbraith (Dec 19)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Luke S Crawford (Dec 20)
- Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...] Sean Donelan (Dec 21)