<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-ff-pdp-may08] Definition V4.2: concern about "consumer-grade"
- To: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>, "ebw@xxxxxxxxxxxxxxxxxxxx" <ebw@xxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] Definition V4.2: concern about "consumer-grade"
- From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
- Date: Fri, 1 Aug 2008 09:57:36 -0700
Joe's hit the mark here, squarely.
I harp on this and will apologize, but please remember that the bigger picture
is to use multiple markers and anomalous behaviors to characterize malicious
activity. Few, good anomaly detection methods weigh a behavior as appropriate
or abuse based on a single metric. We need to stay focused on big picture.
If data exist to support the premise that "traffic from this ASN has a higher
than acceptable probability of being malicious" then it makes sense to factor
this into a decision of "fast flux or not". Moreover, data analysis and an
associated assessment of an ASN's reputation does not remain static but could
change over time.
On 8/1/08 12:43 PM, "Joe St Sauver" <joe@xxxxxxxxxxxxxxxxxx> wrote:
Eric mentioned:
#Further, using AS as determinative is vastly less accurate to the root
#problem than using if-MS-then-NO as a gating mechanism, regardless of
#how much corporate chrome there is on the AS and its commercial
#operations. Since I don't think people want to go down the
#if-MS-then-obvious-conclusion path, the AS-is-guilty false equivalent
#should be dismissed.
In general, ASNs do accumulate reputation, just as domains accumulate
reputation, and just as netblocks accumulate reputation. One particularly
notorious example of this from recent years would probably be the "RBN"
case, although there are others.
The real value of ASN-based reputation accumulation, however, is that:
-- there are relatively few ASNs (at least until 4 byte ASNs get
widely deployed)
-- it is possible to mechanically and scalably map IP's to ASNs
-- if you route a network block, you also have the option of not routing
all or part of that block (e.g., there is a connection between an
ASN associated with an activity, and the ability to control that
activity)
Most ASNs live somewhere on the vast continuum rightward of clean-as-
the-driven-snow and leftward of dirty-as-a-deep-rock-coal-miner-at-
end-of-shift, although there are some AS's that truly do anchor the
extremities of that scale. (Arguably, a trivial example of a
"100% guilty ASN" is one that has been hijacked, for example.)
Regards,
Joe
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|