nanog mailing list archives
Re: Portscans/PROXY scans
From: Paul Vixie <vixie () vix com>
Date: 03 Nov 2003 05:07:33 +0000
trelane () trelane net (Andrew D Kirch) writes:
There are however legitimate reasons for a portscan, responding to incoming abuse and attack being one of them, automatically searching for openrealys used to send you spam is another. Curtailing scanning shouldn't be a priority here, nailing packet kids, spammers etc should be. Sadly both of these groups don't seem to be going to jail in droves.
here's the way it works out. if a network is paying attention to complaints then it will shut down wormridden customer hosts based on some combination of complaints and observations, and there will be fewer legitimate port scans which if the network notices them they'll assume they're legitimate. if however a network is not paying attention to complaints then it will very likely become alarmed by their IDS when legitimate port scans come through, and then they'll (surprise!) call and complain about it. funny assymetry. anyway, when they call, and they learn that it was a legit port scan, then they can learn of the need to shut down wormridden customer hosts. so no matter what, it's good to listen to complaints, and good to complain. -- Paul Vixie
Current thread:
- Portscans/PROXY scans John_York (Nov 01)
- Re: Portscans/PROXY scans Sean Donelan (Nov 01)
- Re: Portscans/PROXY scans Suresh Ramasubramanian (Nov 01)
- Re: Portscans/PROXY scans Paul Vixie (Nov 01)
- Re: Portscans/PROXY scans Andrew D Kirch (Nov 02)
- Re: Portscans/PROXY scans Matthew Sullivan (Nov 02)
- Re: Portscans/PROXY scans Paul Vixie (Nov 02)
- The Internet's Immune System Christopher X. Candreva (Nov 12)
- Re: The Internet's Immune System David A. Ulevitch (Nov 12)
- Re: The Internet's Immune System Christopher X. Candreva (Nov 12)
- Re: Portscans/PROXY scans Suresh Ramasubramanian (Nov 01)
- Re: The Internet's Immune System Bryan Bradsby (Nov 12)
- Re: Portscans/PROXY scans Sean Donelan (Nov 01)
- <Possible follow-ups>
- RE: Portscans/PROXY scans John_York (Nov 01)