[31439] in North American Network Operators' Group
Re: netscan.org update
daemon@ATHENA.MIT.EDU (Troy Davis)
Sat Sep 23 23:21:48 2000
Date: Sat, 23 Sep 2000 20:19:58 -0700
From: Troy Davis <troy@nack.net>
To: Patrick Greenwell <patrick@cybernothing.org>
Cc: nanog@merit.edu
Message-ID: <20000923201958.A9485@nack.net>
Mail-Followup-To: Troy Davis <troy@nack.net>,
Patrick Greenwell <patrick@cybernothing.org>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0009231836250.87934-100000@localhost>; from patrick@cybernothing.org on Sat, Sep 23, 2000 at 06:39:37PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 23 Sep 2000, Patrick Greenwell <patrick@cybernothing.org> wrote:
> Can someone explain to me why it is ok to blindly scan other peoples
> networks without their permission for smurf amplifiers and post the
> results, while doing the same for SMTP servers has met with heavy
> criticism?
Honestly, it's because we haven't been issued a cease-and-desist order
or been sued and lost.
Practically, receiving a smurf attack is more costly and bothersome than
receiving a piece of spam. Both are annoying but only one can wreck my
day. The damage caused by DoS attacks makes for more willingness to
accept minor annoyances of scans, mostly firewalls being tripped. That's
the reason that netscan.org receives very little criticism -- network
administrators would rather have it than not.
On the legal front, lack of exposure plays a part. MAPS is much better
known than all of the smurf scanning projects combined, especially to
non-technical people.
MAPS also offers RBL services that can be easily used for blocking
traffic and, for some, that translates to lost dollars. So the
non-technicals count how many beans they lose from RBL and compare it
to the beans they'd pay lawyers to sue. At some point, RBL has enough
users that the scale tips and a lawsuit is cost effective. RBL annoys
lawsuit-happy folks that perhaps MAPS RSS doesn't.
Netscan.org hasn't created a BGP blackhole announcement out of lack of
time and because, at least while some significant sites are on it, we
doubt many people would use it. Interestingly, looking at the top
smurf-announcing ASNs, an average American backbone could block easily
half of them and barely notice.
As far as criticism, we haven't seen much (and have received a lot of
feedback). We regularly receive complaints about scans triggering
firewalls, but after a reply, users understand the goal is and don't
mind. CERT is the only group that has really been annoyed with the
scanning, and even they seem to have stopped emailing.
Very few people are annoyed at being listed, but most of our emails go
to admins of larger networks, not single-site admins who may think
"Gargamel" when told of smurfing.
Cheers,
Troy
