nanog mailing list archives
RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Sun, 19 May 2002 17:45:36 -0400
If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect. The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans? Cheers, Benjamin P. Grubin, CISSP, GIAC
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Greg A. Woods Sent: Sunday, May 19, 2002 4:48 PM To: North America Network Operators Group Mailing List Subject: Re: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) [ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ]Subject: Re[8]: "portscans" (was Re: Arbor Networks DoSdefense product)However, if the same network is continuously portscanning your network thatnetwork shouldbe stopped.Unless you're also a tier-1 kind of provider you don't usually get to control the AUP for other networks unrelated to your own. How do you propose to resolve a fundamental conflict between your own users need to access the content on a network that also happens to be regularly scanning your network? Unless real damage is done you probably don't even have any recourse under the law, even if you do happen to be in the same jurisdiction (and heaven help us should any such recourse ever become possible in the free world!). Unless you expect to be vulnerable to attack and thus really need to have a record of past scans in case they can be used in evidence; or maybe unless you're doing research into scanning activities; even keeping long-term logs of all scans becomes more of a burden than it's worth. "You will be scanned. Resistance is futile!" I.e. get over it! ;-) (Actually, that's not as bad of an analogy -- look at how active scans are handled in science fiction, such as in Star Trek. Sometimes they're treated as hostile, sometimes not. Scans aren't just used to target weapons -- they're also used to detect life signs on rescue missions! Certainly unless the captain is scared witless he or she has never held back on doing an active scan when information is needed, and when he or she is scared of detection a variety of "stealth scans" are often still attempted.) -- Greg A. Woods +1 416 218-0098; <gwoods () acm org>; <g.a.woods () ieee org>; <woods () robohack ca> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>
Current thread:
- Re[2]: "portscans" (was Re: Arbor Networks DoS defense product), (continued)
- Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 18)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) E.B. Dreger (May 18)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) up (May 19)
- Re[4]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[4]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re[6]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[6]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Benjamin P. Grubin (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Dan Hollis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mitch Halmu (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Dan Hollis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mitch Halmu (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mike Lewinski (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Stephen Griffin (May 20)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Nathan J. Mehl (May 21)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 19)