nanog mailing list archives
Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
From: Allan Liska <allan () allan org>
Date: Sun, 19 May 2002 14:14:18 -0400
Hello Ralph, Sunday, May 19, 2002, 12:13:35 PM, you wrote:
RD> I think that's pretty stupid. If I had my network admin investigate every RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD> Instead we keep our servers very secure, and spend the time and effort RD> only when there is evidence of a break in. I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference.
RD> So you assume it's hostile and do what? Automatically block the source RD> IP? If you do that then you open up a bigger DOS hole. Then if someone RD> sends a bunch of SYN scans with the source address spoofed as your RD> upstream transit providers' BGP peering IP, poof! you're gone. You do the same thing you do with any attack: Log the information and take appropriate action. If you are constantly getting scanned from one netblock, you should be aware of that, the only way to be aware of it is to keep a record of all port scans. A portscan may be innocent, though I agree with those who have said previously that most posrtscans are not innocent, in which case it gets filed away into a database and forgotten. However, if the same network is continuously portscanning your network that network should be stopped. This whole process can be automated, so that it does not involve manual intervention...but don't you think a good network administrator should know what is happening to their network? And, since there is no way to distinguish an innocent portscan from one that is a precursor to an attack, wouldn't it make sense to keep track of all portscans? allan -- allan allan () allan org http://www.allan.org
Current thread:
- Re: "portscans" (was Re: Arbor Networks DoS defense product), (continued)
- Message not available
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 18)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 18)
- Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 18)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) E.B. Dreger (May 18)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product) up (May 19)
- Re[4]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[4]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re[6]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[6]: "portscans" (was Re: Arbor Networks DoS defense product) Ralph Doncaster (May 19)
- Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Allan Liska (May 19)
- Re: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) Benjamin P. Grubin (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Greg A. Woods (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Dan Hollis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mitch Halmu (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Dan Hollis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mitch Halmu (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Mike Lewinski (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Scott Francis (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Stephen Griffin (May 20)