RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)

["Benjamin P. Grubin" <bgrubin () pobox com>]

If you separate the pointless argument about the hostility of portscans
and the viability of a distributed landmine system, this may turn out to
be a useful discussion in the end.  I mean--we all know portscans are
hardly the ideal trigger anyhow.  On top of the potential ambiguity of
their intention, they are also difficult to reliably detect.  

The distributed landmine tied to subscription blackhole ala RBL may very
well have significant positive attributes that are being drowned out due
to the portscan debate.  Obviously the vast majority in the spam world
think RBL and/or ORBS have merit, despite the vocal complaints.  Why not
discuss viable alternative trigger methods instead of whining about
portscans?

Cheers,
Benjamin P. Grubin, CISSP, GIAC

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of Greg A. Woods
> Sent: Sunday, May 19, 2002 4:48 PM
> To: North America Network Operators Group Mailing List
> Subject: Re: Re[8]: "portscans" (was Re: Arbor Networks DoS 
> defense product)
>
>
>
> [ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ]
> > Subject: Re[8]: "portscans" (was Re: Arbor Networks DoS 
> defense product)
> > However, if the same
> > network is continuously portscanning your network that 
> network should
> > be stopped.
>
> Unless you're also a tier-1 kind of provider you don't usually get to
> control the AUP for other networks unrelated to your own.
>
> How do you propose to resolve a fundamental conflict between your own
> users need to access the content on a network that also happens to be
> regularly scanning your network?  Unless real damage is done you
> probably don't even have any recourse under the law, even if you do
> happen to be in the same jurisdiction (and heaven help us should any
> such recourse ever become possible in the free world!).
>
> Unless you expect to be vulnerable to attack and thus really need to
> have a record of past scans in case they can be used in evidence; or
> maybe unless you're doing research into scanning activities; even
> keeping long-term logs of all scans becomes more of a burden than it's
> worth.
>
> "You will be scanned.  Resistance is futile!"  I.e. get over it!  ;-)
>
> (Actually, that's not as bad of an analogy -- look at how active scans
> are handled in science fiction, such as in Star Trek.  
> Sometimes they're
> treated as hostile, sometimes not.  Scans aren't just used to target
> weapons -- they're also used to detect life signs on rescue missions!
> Certainly unless the captain is scared witless he or she has 
> never held
> back on doing an active scan when information is needed, and 
> when he or
> she is scared of detection a variety of "stealth scans" are 
> often still
> attempted.)
>
> -- 
>                                                               
> Greg A. Woods
>
> +1 416 218-0098;  <gwoods () acm org>;  <g.a.woods () ieee org>;  
> <woods () robohack ca>
> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird 
> <woods () weird com>