Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]

[randy at psg.com (Randy Bush)]

>> be specific, like "if you run X tools the payoff will be Y."
> Yes.  And where is the appropriate form for this?

there must be some operators' list somewhere.

 > it doesn't seem like the sort of thing NANOG is for

yep.  nanog is for whining about it, not doing/saying something actually 
constructive with technical content.

</sarcasm>

> speaking as a small provider, I can tell you that I find running snort
> against my inbound traffic does reduce the cost of running an abuse desk.
> I do catch offenders before I get abuse@ complaints, sometimes.

unfortunately snort does not really scale to a larger provider.  and, to 
the best of my poor knowledge, good open source tools to 
black-hole/redirect botted users are not generally available. 
universities have some that are good at campus and enterprise scale.

cymru and a few security researchers responded privately to my plea for 
solid open source tool sets and refs.  knowing the folk involved, maybe 
we'll see some motion.  patience is a virtue, within limits.

randy