[Philippe_H]

Hi Guys, thanks for all your feedbacks. (I'm part of the CS team) I'll try to address some few questions.

1/ You don't have to communicate. If you don't, you get a modern, fast, decoupled fail2ban with many various remediations (instead of just drop) and observability. What you don't get though are the IPs spotted by the crowd and curated by us. You don't contribute, you don't get them, fair. If you contribute, only offending IP / timestamp / scenario triggered are sent back to us to establish what we call a consensus (to avoid false positives and poisoning)

2/ We are super vigilant and sensitive about privacy. We made the architecture and many other crucial points compatible with GDPR (EU Law framework regarding private data handling)

3/ IP sent: We could hash it, but it's very easy to reverse. Maybe have a public/private key encryption, quite a good point, I'll tell the team, thx.

4/ You can contribute scenario in YAML or data source connectors in Grok. We are not hardcore for or against any language, but Go allows portability (we'll release Win & Macos binaries) and is container friendly, plus super fast, easy to read and scalable. Ever since we released, tons of proposal were made to port it to a 'real' language, sorry we are fine with that choice, no intent to change, no intent to convert anyone either ;)

5/ Herd immunity is what we want to create indeed. We tried to explain the combination of Behavior + Reputation by using an analogy with Waze. It worked but is less accurate. I prefer the one with Immune system.

We are available for direct dialog on gitter. allow just some delays depending on your time zone, we are based in France, so CEST. (https://gitter.im/crowdsec-project/community) we answer in French & English.

Try it, it's free, MIT licensed and stable: https://github.com/crowdsecurity/crowdsec

Thanks,

Philippe.

[oefrha]

Is it possible to shed some light on your "curation platform" (is that part open source or documented somewhere)? How does it defend against, say, poisoning attacks from someone who controls a large number of seemingly reputable nodes that don't fall into a single IP block?

[Philippe_H]

Sure. To put it very short, we give every user a trust rank. It varies overtime. If you consistently, and for a long while, reported attacks that could be correlated by others and our own botnet, you progress, until you reach trust rank 1. Other are listened to, but need double verification from TR1 and/or our own botnet. We also have a canari list, which contains IP not too shoot. (Google bot, Microsoft update, DNS, etc.) and last but not list, an AI mashing logs to extract larger patterns. With this "consensus" chamber, a weighted vote is cast and the IP is then included in the DB. (We are always on the more conservative side if in doubt) If you ever feed bad intel, your TR regresses. If you shoot a canari, we'll either presume you are trying to poison or that your scenario is too twitchy. If you feed a bad intel, you TR regresses instantly and your voice weight less in the consensus (actually nothing in fact). IP are fresh, they were seen doing crap at max 72h before. Beyond this threshold, we consider them not relevant anymore and wait for a refresh. So if you are doing "headshots", 0 days style, only, the system would have hard time catching you. But if you port / web scan, bruteforce, do credential or CC stuffing, or whatever else, the system catches you quite quickly.

[dgrin91]

How is reversing the hash of an IP easy? Are you saying because there are only 4billion ipv4s? Hash should be fine for ipv6 still, right?

[Philippe_H]

Well hashing is (usually) a symmetric function and we are open source... Meaning you could recover the key in the code (or intercept it during transfer). I think Private/Public key is a simpler approach, reusable elsewhere in the code and it's known to be safe. But I'm not the CTO either, I could be mistaken.

[floren]

Hashes aren't symmetric and don't use a key.

[genuinebyte]

Here, I found this really useful to understand hashes: https://crackstation.net/hashing-security.htm

[Philippe_H]

(but I think they already send it through HTTPS)

[dx034]

But would you want to only block single IPv6 addresses? Usually whole blocks are assigned as far as I know? So just hashing a single ipv6 would probably not work very well.

[wongarsu]

Can you shed some light on what the premium offers are going to be?

[Philippe_H]

Sure, People activate the sharing of what they spot or not. If they do, no money is asked for them benefiting from the global IP rep DB. The one willing to use it without contributing will be able to do so, through API calls, but at a (moderate) cost. We'll have 2 plans, premium & enterprise. They we will provide support, tools for fleet management (like deploying a policy on X/Y/Z servers from a central location), AI (to spot larger trends), cold log analyzes (forensic, but harder coz of GDPR), tailor made bouncer responses, bounce back to us and self IP monitoring (to see if they are caught in a consensus, hence have been hacked). Also, bouncers, the components blocking Ingress IPs are able to work without the GO daemon, by just using the IP rep DB. Think for exemple someone willing to protect a group of IoT machines, low CPU, low mem, the API approach is close to costless in terms of resources and allow those machines to be protected without running the daemon.