[31454] in North American Network Operators' Group
Re: netscan.org update
daemon@ATHENA.MIT.EDU (Greg A. Woods)
Sun Sep 24 12:07:19 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@weird.com (Greg A. Woods)
To: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0009232147330.7119-100000@Overkill.EnterZone.Net>
Reply-To: woods@weird.com (Greg A. Woods)
Message-Id: <20000924160522.CC3FC5@proven.weird.com>
Date: Sun, 24 Sep 2000 12:05:22 -0400 (EDT)
Errors-To: owner-nanog-outgoing@merit.edu
[ On Saturday, September 23, 2000 at 21:52:52 (-0400), John Fraizer wrote: ]
> Subject: Re: netscan.org update
>
> To more specifically answer your question though, I consider it to be less
> intrusive for someone to send an ICMP echo request to the
> broadcast/network address of every CIDR bit boundry of networks on our
> backbone and count the replies than for someone to randomly scan for SMTP
> servers and then subject those servers to a massive relay test. The SMTP
> testing represents more load on hosts and the network than the SMURF
> testing.
I doubt it. There's almost certainly more traffic generaged by a smurf
amplifier test than by relay tests over the same networks, especially if
there are indeed smurf amplifiers on that network! Think about it!
Troy's real answer aside:
The difference is that smurf amplifiers normally only take down IRC,
while spam relayers blast us all! :-)
hmmm.... that would indicate the response should be the opposite, now
wouldn't it, or is it that more *network* operators use IRC than email? :-)
What would be interesting would be to correlate the amplifier list with
data from a similar true open relay test *scan*. I'd bet it's high.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
