What Countermeasures Really Means (O'ReillyNet)

Posted Aug 5, 2004 12:04 UTC (Thu) by copsewood (subscriber, #199) [Link]

This article is interesting, in the sense that countermeasures against attackers are seen as a graduated response. I have been arguing for some time that an Internet security model based on the idea of making every system akin to the elaborate fortifications of the middle ages is as likely to be unsustainable as the latter security model was. Given the increasing probability that virus infection is a prelude to the compromised machine becoming an advanced base for further automated attack, it seems entirely reasonable for ISPs to request information identifying where such attacks come from within their own networks, investigate reported incidents further, and limit the connections capable of being established by infected machines to disinfection resources only.

Where attack possibilities become cheaper than the cost of maintaining absolute security against these, it becomes cheaper to identify, pursue and neutralise the capacity of the attacker. This will need agreement between ISPs concerning best practices for exchange of information about attackers, so that the communication delays associated with cross-border law enforcement are avoided or minimised.

In practice there is no lack of information identifying attackers - most system logs are full of it. The question is how that information can best be distributed, collected and summarised to ensure that the ISP responsible for the IP addresses from which attacks are being originated or vectored can confidently act upon this.