nanog mailing list archives

Re: "portscans" (was Re: Arbor Networks DoS defense product)

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Mon, 20 May 2002 11:03:25 -0700


Dan Hollis <goemon () anime net> wrote:

On Sat, 18 May 2002, Scott Francis wrote:

On Sat, May 18, 2002 at 11:05:34PM -0400, woods () weird com said:

attacked any host or network that I was not directly responsible for.
If you don't want the public portions of your network mapped then you
should withdraw them from public view.

Agreed there. Defense is important. It might be good to note that I'm not
giving a blanket condemnation of all portscans at all times; but as a GENERAL
RULE, portscans from strangers, especially methodical ones that map out a
network, are a precursor to some more unsavory activity.


And what the critics keep missing is that it will take several landmine 
hits across the internet to invoke a blackhole. Just scanning a few 
individual hosts or /24s won't do it.

There are three aims of the landmine project:

1) early warning
2) defensive response
3) deterrence

I realize such a project won't be absolutely, positively perfect in every 
aspect, and it won't satisfy 100% of the people 100% of the time. But 
that's hardly an excuse to not do it. IMO the positives outweigh the 
negatives by far.


Not that this neverending thread hasn't been an absolute blast, but I
was thinking maybe if I pointed out that this has been and is already
being done by several commercial and non-commercial groups, we could
put an end to the "landmine" discussion?

For example, see,

  http://isc.incidents.org/top10.html

For a list of naughty hosts and nets. And there are any number of
commerical solutions. For example, I believe SecurityFocus's ARIS does
this kind of thing,

  http://www.securityfocus.com/corporate/products/tmsFAQ.shtml

Pretty much all of the big IS security companies do.

NIDS data from various sites is shipped off to a central database
where the data is crunched, and then the distilled information is
pushed back out. Pretty much the same concept?
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

Current thread:

Re: "portscans" (was Re: Arbor Networks DoS defense product) Johnny Eriksson (May 18)
- <Possible follow-ups>
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Tim A . Irwin (May 19)
  - Re: "portscans" (was Re: Arbor Networks DoS defense product) E.B. Dreger (May 19)
- Re: "portscans" (was Re: Arbor Networks DoS defense product) Crist J. Clark (May 20)