Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Carrier/ISP Success Stories?

From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 24 Jul 2000 10:50:22 -0700 (PDT)
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
--- Nicholas Brawn <nickbrawn () onetel com> wrote:

Does anyone know of any published "success stories" or "lessons learnt"
papers
about deploying NIDS at a telco carrier level and/or large ISP?

Or alternatively, is anyone willing to share their experiences with the list?


One thing I've noticed at large ISPs is that the IDS will trigger on lots of
TRUE positives. For example, it will list lots of failed login attempts because
users forget their own passwords or leave the caps-lock key on. We often
recommend to ISPs that they set the threshold really high (e.g. 100 failed
attempts) so that the find the true password grinders without triggering on
users.

Another TRUE positive is the huge amount of remote admin Trojans going around.
BackOrifice has pretty much disappeared, but there are a lot of others. In
particular, I'm seeing a veritable flood of SubSeven IRC messages being sent.
(This is a feature whereby a compromised desktop can be configured to post
IP/port/passwd to a specific IRC chatroom).

One problem for which I'm looking for a solution is finding how to tap into the
network in order to see the traffic. With Ethernet, it's easy: simply attach to
a span/mirror/monitor port on the switch or use a full-duplex tap for
connections between switches. However, lots of ISPs use an ATM fabric for their
backbones. I still don't know of any good solutions for tapping into this. Does
anybody have any ideas/success-stories?


=====
Robert Graham 
Personal: http://www.robertgraham.com Work: CTO Network ICE

__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
Previous By Date Next
Previous By Thread Next

Current thread: