June 10, 1999
1-2 pm
3085 ENG II

In attendance:
Jeff Rowe (JR), Jason Schatz (JS), David Klotz (DK), Karl Levitt (KL), Chris Wee (CW) and Erich Morisse (EM)

  1. Revisit the Nearest Neighbor Model
    1. CW: In anticipation of criticisms:
      1. What is the utility of finding the closest router to an attacker? All leafnets have firewalls
        1. DK: This method doesn't address external attacks; only internal ones.
      2. Why not block everywhere?
        1. DK: Don't want to block everywhere adding useless work
      3. What about blocking one connection or connectionless attacks? Not all attacks come through TCP wrappers
        1. DK: The argument is that given that blocking is good, this is one way to do it.
      4. If you have the capability to block the signature of a well-known attack, why not just implement it?
        1. JR: For attacks like port scans, you cannot block ahead of time
        2. DK: Blocking a new attack is quick and effective with this method.
      5. What is the point in installing filters after an attack?
    1. List of strategies
      1. Isolate Attacker
      2. Isolate Target
      3. Block All Paths
      4. Isolate Cheapest Link in Attack Route
      5. Isolate Infected Machines (Worm)
      6. Block Everywhere (Worm)
      7. Strategy to clean up machines after worm contained
    2. Issues
      1. Dealing with a distributed coordinated attacks
        1. Treat attacks individually
      2. Send identical attack packed from two locations
      3. Reverse path poisoning - so routing protocols won't go crazy
      4. How Discovery Coordinator will interface
      5. Ultimate goal - measure against utility function