[nsp-sec] DDOS-RS future development

[Nick Buraglio]

I agree.  Having this broken out via community would make it much more  
desirable (for me at least).  Having it fed via BGP is far easier to  
deal with, especially if we can filter based on BGP communities.  The  
ability to block the malware stuff in this manner alone is a huge win  
for us, in my opinion.
Having to parse a txt file and run programmed goo against it will  
allow for far more granularity, flexibility and probably more sanity  
checking but it requires an extra step as well as someone to code it  
and introduces extra points of failure.

nb

---
Nick Buraglio
Network Engineer, CITES, University of Illinois / ICCN
GPG key 0x2E5B44F4
Phone: 217.244.6428
buraglio at illinois.edu



On Aug 21, 2009, at 7:49 AM, John Fraizer wrote:

> ----------- nsp-security Confidential --------
>
> One feed is all you need to fit them all.  Filter based on BGP  
> communities.
> You don't want to block the malware site but you want to block the  
> C&C's?
> Accept NLRI's that have the C&C community string but don't accept  
> the ones
> that have the malware community string.
>
> John
>
>
>
> On Fri, Aug 21, 2009 at 11:22 AM, Alfredo Sola <
> alfredo at solucionesdinamicas.net> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>>       So my suggestion would be, keep a separate feed via BGP that  
>> allows
>> operators with trust but no time or inclination for further  
>> analysis to use
>> the feed to maximum effect. Make that perhaps a separate one and  
>> you may
>> call them the Classic and the Smasher BGP feeds :)
>>
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp- 
> security
> community. Confidentiality is essential for effective Internet  
> security counter-measures.
> _______________________________________________