[nsp-sec] Question for the team - who would be willing to participate in a "exercise"

Alfredo Sola alfredo at solucionesdinamicas.net
Mon Oct 30 08:07:02 EDT 2017 

> We can build up to this list. Start with the real simple, then work up to more complicated response actions.

	I will add to the lists:

- Blackhole IP by region. Useful for many instances where the legitimate traffic is mostly from a region (like a country or group of countries). Also in attacks where if sources within a region or two are blackholed, the services can survive while still providing services to their legitimate users. Initially regions could be as large as continents, and be refined later on to countries.

	I submitted this to Team Cymru’s OTRS (which is a fantastic service BTW).

	Many of these can be transported using RFC5575 so while they are not going to fix DOS, there could be room for some real improvements that folk can actually implement.

	Of course, all of this requires that more network operators actually use the resources that already exist. For example, UTRS has 475 participants, out of almost 60k ASN in the routing table. Which makes it the more impressive the fact that it actually works.

————————————————8<————————————————

 - for a list of 1M attacking IPs, please prevent them from sending outbound traffic from your networks
 - for a packet characteristic (eg, udp/80 packet, or syn packet > 512 bytes, etc), please prevent it from reaching my network
 - (using netflow) trace the source of spoofed traffic and make it stop (BCP38, ACLing your customer, etc)
 - de-peer a rogue ASN which is conducting BGP hijacks, sending spoofed attack traffic, etc (including the case where the rogue network is a well-known major network which is misbehaving and won't respond to
complaints)


- SITREP - a reflection attack is hitting a several WHO sites used for pandemic management. At this time, there is an emerging situation in Asia with a new strain of flu. We need to get these site back only. There look to be 6 IPs which are the key C&C/Stressors behind these WHO attacks.
- Ask - Please deploy a RTBH for these 6 sites for one hour, then remove. That would provide enough time to deploy additional capacity. The source ASN for the stressor/C&C may or may not be able to help.
- Ask - Respond with an ACK to the Trust Group when the RTBH is deployed. Respond with a ACK to this Trust Group.

————————————————8<————————————————

-- 
Alfredo Sola
https://www.tecnocratica.net

More information about the nsp-security mailing list