<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [gnso-ff-pdp-may08] Improving network visibility/netflow
- To: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [gnso-ff-pdp-may08] Improving network visibility/netflow
- From: Jose Nazario <jose@xxxxxxxxx>
- Date: Wed, 6 May 2009 11:55:14 -0400 (EDT)
On Wed, 6 May 2009, Joe St Sauver wrote:
"ISPs should be doing netflow/sflow so they have the technical capacity
to identify and investigate botted hosts, such as fast flux network
nodes, on their network."
at a technical level this requires them to know the IPs/ports of the
motherships to do robust flow-based identification. in the absence of that
every random web server on a broadband line looks suspect even though very
few are fluxing.
i do not know if anyone is doing that commercially but a few ISPs do it
internally, quietly. i have been trying to get this into our product for
a while but have been unsuccessful at getting the data as a feed, and i
have not been able to allocate time to get the client system stood up to
monitoring their tier0 mothership connections.
-------------------------------------------------------------
jose nazario, ph.d. <jose@xxxxxxxxx>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|