nanog mailing list archives
Re: "portscans" (was Re: Arbor Networks DoS defense product)
From: Scott Francis <darkuncle () darkuncle net>
Date: Sat, 18 May 2002 20:11:19 -0700
On Sat, May 18, 2002 at 09:43:16PM -0400, sgifford () suspectclass com said: [snip]
network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks).Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons.
In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To make it a bit more clear: cases where the scanner can demonstrate a good and benign reason for scanning (they do occasionally exist[1]), no blackhole is required. Sending an email notification prior to putting in a blackhole is a good first step to eliminate potential false positives. [1] Random strangers unaffiliated with your network will almost never have a valid & benign reason for portscanning you.
I'm not sure if I would have been impressed or annoyed if they had stopped accepting packets from my machine during the scan. :-)
Loss of a customer, probably. :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
Attachment:
_bin
Description:
Current thread:
- Re: "portscans" (was Re: Arbor Networks DoS defense product), (continued)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Stephen Griffin (May 20)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Nathan J. Mehl (May 21)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 20)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- Message not available
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) JC Dill (May 19)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 18)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Gifford (May 18)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 18)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Alex Rubenstein (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) william (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Stephen J. Wilcox (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Dan Hollis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Gifford (May 19)
- RE: "portscans" (was Re: Arbor Networks DoS defense product) James (May 19)