ISOI II was very cool
http://isotf.org/isoi2.html
It was a closed gathering of security researchers, ISP reps and LEOs to which I wangled an invite. There was much cool stuff presented, but not much of operational interest. That is, I only took away ideas that would consume about 3 weeks worth of uninterrupted project time (or about 3 years job time). But the social networking was vast. I spoke with a Distinguished Engineer at Comcast, the inventor of the spanning tree protocol (http://research.sun.com/people/mybio.php?uid=28941). Various folks from Spamhaus. Botnet researchers, the Internet Storm Center (isc.sans.org), and on and on. Matt Jonkman of Bleeding Edge Threats (formerly Bleeding Snort), too. So if I have some issues, I have some people to talk to.
Golly, it's fun to be around so many smart people.
The coolest actionable idea for me (very timely, too!) was from a guy at Qwest who turned me on to filtering on TTL < 255 for communication with border routers. The idea is, you are only exchanging BGP data with neighbors. Maybe SNMP and ssh (or, gulp, telnet) from a management station. Set up pass ACLs for the management stuff, and then drop anything else with a TTL under 255. So you KNOW that any traffic directed to your router (not transit traffic, obviously) comes from a neighbor.
They can spoof addresses (hard with tcp, harder with BGP passwords) but they can't spoof the TTL. So the only place they can attack is from a neighbor (or an ip address that seems to be from a management station - and that's hard)
It rekindled my enthusiasm for this stuff. I've asked for a legal memo either authorizing or not authorizing deployment of a honeypot/honeynet. If I get the ok, I'll deploy and provide a listening post. You may need such a memo yourself as this can fall under wiretap statutes. It would suck to be prosecuted for violating an attacker's privacy!
http://isotf.org/isoi2.html
It was a closed gathering of security researchers, ISP reps and LEOs to which I wangled an invite. There was much cool stuff presented, but not much of operational interest. That is, I only took away ideas that would consume about 3 weeks worth of uninterrupted project time (or about 3 years job time). But the social networking was vast. I spoke with a Distinguished Engineer at Comcast, the inventor of the spanning tree protocol (http://research.sun.com/people/mybio.php?uid=28941). Various folks from Spamhaus. Botnet researchers, the Internet Storm Center (isc.sans.org), and on and on. Matt Jonkman of Bleeding Edge Threats (formerly Bleeding Snort), too. So if I have some issues, I have some people to talk to.
Golly, it's fun to be around so many smart people.
The coolest actionable idea for me (very timely, too!) was from a guy at Qwest who turned me on to filtering on TTL < 255 for communication with border routers. The idea is, you are only exchanging BGP data with neighbors. Maybe SNMP and ssh (or, gulp, telnet) from a management station. Set up pass ACLs for the management stuff, and then drop anything else with a TTL under 255. So you KNOW that any traffic directed to your router (not transit traffic, obviously) comes from a neighbor.
They can spoof addresses (hard with tcp, harder with BGP passwords) but they can't spoof the TTL. So the only place they can attack is from a neighbor (or an ip address that seems to be from a management station - and that's hard)
It rekindled my enthusiasm for this stuff. I've asked for a legal memo either authorizing or not authorizing deployment of a honeypot/honeynet. If I get the ok, I'll deploy and provide a listening post. You may need such a memo yourself as this can fall under wiretap statutes. It would suck to be prosecuted for violating an attacker's privacy!
posted by JimmytheGeek at 9:23 PM
0 Comments:
Post a Comment
<< Home