nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "portscans" (was Re: Arbor Networks DoS defense product)

From: woods () weird com (Greg A. Woods)
Date: Sun, 19 May 2002 18:03:02 -0400 (EDT)

[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ]

Subject: RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)

If you separate the pointless argument about the hostility of portscans
and the viability of a distributed landmine system, this may turn out to
be a useful discussion in the end.  I mean--we all know portscans are
hardly the ideal trigger anyhow.  On top of the potential ambiguity of
their intention, they are also difficult to reliably detect.  

The distributed landmine tied to subscription blackhole ala RBL may very
well have significant positive attributes that are being drowned out due
to the portscan debate.  Obviously the vast majority in the spam world
think RBL and/or ORBS have merit, despite the vocal complaints.  Why not
discuss viable alternative trigger methods instead of whining about
portscans?


Well, there is still the issue of discovering the intent of a scan,
regardless of how many landmines have to be triggered before a
blackhole listing is put in place.

Such technology is very dangerous if automated.  Anyone with sufficient
intelligence to find enough of the landmine systems could probably also
figure out how to trigger them in such a way as to DoS any random host
or network at will (assuming enough networks to matter used the listing
service in real time).  Unless there's also a sure-fire automated way of
quickly revoking such a black list entry, as well as a free
white-listing service, the consequences are far too dire to earn my
support.

On the other hand SMTP open relay blackholes are easy to prove and
usually easy enough to fix and get de-listed from.  Even the Spamcop
realtime DNS list "bl.spamcop.net" is pretty hard to trick, and of
course it's not really widely enough used that getting listed there is
all that disruptive (apparently, since listed sites keep sending spam
with no apparent degradation in their throughput).

-- 
                                                                Greg A. Woods

+1 416 218-0098;  <gwoods () acm org>;  <g.a.woods () ieee org>;  <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>
Previous By Date Next
Previous By Thread Next

Current thread: