Re: Portscans/PROXY scans

[Paul Vixie <vixie () vix com>]

trelane () trelane net (Andrew D Kirch) writes:

> There are however legitimate reasons for a portscan, responding to
> incoming abuse and attack being one of them, automatically searching for
> openrealys used to send you spam is another.  Curtailing scanning
> shouldn't be a priority here, nailing packet kids, spammers etc should
> be.  Sadly both of these groups don't seem to be going to jail in droves.

here's the way it works out.  if a network is paying attention to complaints
then it will shut down wormridden customer hosts based on some combination of
complaints and observations, and there will be fewer legitimate port scans
which if the network notices them they'll assume they're legitimate.

if however a network is not paying attention to complaints then it will very
likely become alarmed by their IDS when legitimate port scans come through,
and then they'll (surprise!) call and complain about it.  funny assymetry.
anyway, when they call, and they learn that it was a legit port scan, then
they can learn of the need to shut down wormridden customer hosts.

so no matter what, it's good to listen to complaints, and good to complain.
-- 
Paul Vixie