nanog mailing list archives
Re: "portscans" (was Re: Arbor Networks DoS defense product)
From: woods () weird com (Greg A. Woods)
Date: Sun, 19 May 2002 18:03:02 -0400 (EDT)
[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ]
Subject: RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect. The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans?
Well, there is still the issue of discovering the intent of a scan, regardless of how many landmines have to be triggered before a blackhole listing is put in place. Such technology is very dangerous if automated. Anyone with sufficient intelligence to find enough of the landmine systems could probably also figure out how to trigger them in such a way as to DoS any random host or network at will (assuming enough networks to matter used the listing service in real time). Unless there's also a sure-fire automated way of quickly revoking such a black list entry, as well as a free white-listing service, the consequences are far too dire to earn my support. On the other hand SMTP open relay blackholes are easy to prove and usually easy enough to fix and get de-listed from. Even the Spamcop realtime DNS list "bl.spamcop.net" is pretty hard to trick, and of course it's not really widely enough used that getting listed there is all that disruptive (apparently, since listed sites keep sending spam with no apparent degradation in their throughput). -- Greg A. Woods +1 416 218-0098; <gwoods () acm org>; <g.a.woods () ieee org>; <woods () robohack ca> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product), (continued)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) E.B. Dreger (May 18)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) up (May 19)
- Re[4]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[4]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re[6]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[6]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Benjamin P. Grubin (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Dan Hollis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mitch Halmu (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Dan Hollis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mitch Halmu (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mike Lewinski (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Stephen Griffin (May 20)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Nathan J. Mehl (May 21)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 20)