Re: Arbor Networks DoS defense product

[PJ <briareos () otherlands net>]

On Wed, 15 May 2002, Dan Hollis wrote:

> On Wed, 15 May 2002, PJ wrote:
> > On Wed, 15 May 2002, Dan Hollis wrote:
> > > We are not landmining for DOSing.
> > > We are landmining to make it very dangerous for attackers to scan networks 
> > > and probe hosts.
> > Are you now operating under the premise that scans != anything but the
> > prelude to an attack?  Sorry if I missed it earlier in the thread, but
> > I would hate to think any legitimate scanning of a network or host
> > would result in a false positive.  Even more, I would hate to see the
> > advocation of a hostile reaction to what, so far, is not considered a
> > crime.
>
> It would take more than a single landmine hit to get blackholed. Like, duh.

Forgive me for daring to ask a question.  How many imply bad intent in
general practice?  4?  5? 10?  Any time limitations?  I am sure they
are, but I am just curious.  Would the paranoid timing setting in nmap
trigger it?

> Enough hits on a wide sensor net prove bad intentions, as proven by dshield. 

"Prove?"  What exactly is enough hits?  Is it dependant on the size of
the network?  Again, what about the timing factor?  All that will
happen is anyone with hostile intent will start breaking up networks
into smaller chunks to be scanned from different hosts.  I don't see
it solving the so-called problem of scanning.

> I'm suprised at the extremely shallow level of arguments so far against 
> landmines.

I am surpised at the extremely shallow level of thinking that seeks to
shift the burden of security maintenace off of the shoulders of those
who should be responsible.  Would you block just a host or a network?
What about dynamic ips?  It doesn't take much bandwidth to probe.
Blackhole enough of the net and you effectively serve the purpose of
DOSing yourself.

PJ

-- 
A diplomat is man who always remembers a woman's birthday but never her age.
                -- Robert Frost