[nsp-sec] Question for the team - who would be willing to participate in a "exercise"

Damian Menscher damian at google.com
Sat Oct 28 22:45:59 EDT 2017 

I'll get more details on the new effort this week.  I'm just as cynical as
you, but perhaps I can steer them in a useful direction.

As for your exercise, I'm not sure RTBH is the right granularity (targeting
a C2 is useless if it's already told its bots to attack).  What I generally
want is one of (depending on the situation):
  - for a list of 1M attacking IPs, please prevent them from sending
outbound traffic from your networks
  - for a packet characteristic (eg, udp/80 packet, or syn packet > 512
bytes, etc), please prevent it from reaching my network
  - (using netflow) trace the source of spoofed traffic and make it stop
(BCP38, ACLing your customer, etc)
  - de-peer a rogue ASN which is conducting BGP hijacks, sending spoofed
attack traffic, etc (including the case where the rogue network is a
well-known major network which is misbehaving and won't respond to
complaints)

Sadly, I highly doubt even this group would provide an effective response
for any of these.

Damian

On Sat, Oct 28, 2017 at 6:00 PM, Barry Greene <bgreene at senki.org> wrote:

> ----------- nsp-security Confidential --------
>
>
> Hi Team,
>
> We have “yet another group who is going to fix the DOS” problem by
> ignoring history and thinking that there is no group doing any thing. I was
> thinking of a demonstration to this group to allow the an understanding on
> what DOS problem do not need their help. One illustration is where we are
> if we really need to RTBH a IP that is the root of an DOS attack.
>
> The idea is a “virtual” table top exercise. It would be an E-mail that you
> would respond with an “ACK.” For example:
>
> ———
>
> - SITREP - a reflection attack is hitting a several WHO sites used for
> pandemic management. At this time, there is an emerging situation in Asia
> with a new strain of flu. We need to get these site back only. There look
> to be 6 IPs which are the key C&C/Stressors behind these WHO attacks.
>
> - Ask - Please deploy a RTBH for these 6 sites for one hour, then remove.
> That would provide enough time to deploy additional capacity. The source
> ASN for the stressor/C&C may or may not be able to help.
>
> - Ask - Respond with an ACK to the Trust Group when the RTBH is deployed.
> Respond with a ACK to this Trust Group.
>
> ——
>
> We’ll use the test-net IPs for the exercise (just in case someone does not
> think this is an exercise and deployed a RTBH.).
>
> Thoughts?
>
> What I would do is compile a report for everyone. In a way, this would
> help the “DOS Peering” effort where Don is one of the instigators. The
> report would show what can be done via E-mail. the DOS Peering would show
> what could be done with some more preparation and automation.
>
> Barry
>
>
>
>
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list