[nsp-sec] Question for the team - who would be willing to participate in a "exercise"

Tue Oct 31 18:47:45 EDT 2017

My answer would be given such a list, after FP level is validated as being very low, I would notify my customers and assist them with clean up.

I am involved, will be trying to steer them in the right direction, they have many of the ideas we have all been working on for years.
Customer notification, URTS, trust lists such as nsp-sec, ops-trust, bcp38/84, ddos peering, ... so it is mostly a compilation of previous work (hey know anyone that pioneered DBHFing Chris :)

They of course don't have all the players but I know most of them and you would too.

if (initial_ttl!=255) then (rfc5082_compliant==0)
Donald.Smith at centurylink.com

________________________________________
From: Chris Morrow [morrowc at ops-netman.net]
Sent: Tuesday, October 31, 2017 2:36 PM
To: Smith, Donald
Cc: Alfredo Sola; Barry Greene; Nsp-Security List
Subject: Re: [nsp-sec] Question for the team - who would be willing to participate in a "exercise"

On Tue, 31 Oct 2017 15:56:58 -0400,
"Smith, Donald" <Donald.Smith at CenturyLink.com> wrote:
>
> ----------- nsp-security Confidential --------
> > ――――――――――――――――8<――――――――――――――――
> >
> > - for a list of 1M attacking IPs, please prevent them from sending outbound traffic from your networks
> No, unsupported by many of the routers.
>

actually... the question to ask is: "Given a list of 1M bots, how
would you block them in your network?"

Your answer MIGHT be: "no way, sorry"

or: "I split the list of across my edge based on netflow data
collection / analysis"

or: "I put that in iptables on the host being attacked"

or: <something else clever>

The point shouldn't be a proscriptive: "hey, put this on your flarb
and bleep it north", it should be: "here's a problem that generally
seems normal to see for this sort of scenario, how do you react?"

I think GENERALLY the problem the people starting this (that barry is
reacting to) have is: "they are completely unfocused, they have no idea
how any of this works, and they have no idea what problem they are trying
to actually solve"

It seemed to me this was a case of: "Hey, the gov't is willing to fund
us to 'research' a 'policy paper' (or something) so why not go earn a
few million bones?"

I wasn't (and am still not) willing to help them unless they can
really get direction and concrete goals.

-chris
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.