[47926] in North American Network Operators' Group
Re: "portscans" (was Re: Arbor Networks DoS defense product)
daemon@ATHENA.MIT.EDU (Scott Francis)
Sat May 18 19:07:07 2002
Date: Sat, 18 May 2002 16:03:11 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: "Greg A. Woods" <woods@weird.com>
Cc: nanog@merit.edu
Message-ID: <20020518230311.GA68386@darkuncle.net>
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
"Greg A. Woods" <woods@weird.com>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
In-Reply-To: <20020518212527.90E84AC@proven.weird.com>
Errors-To: owner-nanog-outgoing@merit.edu
--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, May 18, 2002 at 05:25:27PM -0400, woods@weird.com said:
> [ On Saturday, May 18, 2002 at 13:48:27 (-0700), Scott Francis wrote: ]
> > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product)
> >
> > > However a "portscan" is not an attack.
> >=20
> > Precursor to an attack, certainly.
>=20
> B.S. A plain old port or IP scan is nothing more than an information
> gathering excercise. Unless you're the one running it you almost
> certainly have no clue whatsoever why it was started. (Unless you can
> prove somehow that the scan pattern and/or packets matches a signature
> that's proven to be _unique_ to some known attack tool.)
And why, pray tell, would some unknown and unaffiliated person be scanning =
my
network to gather information or run recon if they were not planning on
attacking? I'm not saying that you're not right, I'm just saying that so far
I have heard no valid non-attack reasons for portscans (other than those run
by network admins against their own networks).
--=20
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager sfrancis@ [work:] t o n o s . c o m
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
--yrj/dFKFPuw6o+aM
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQIXAwUBPObdrogCD7rLM8ynFAPjfwf/QVBIPyYS920ZADMoi7nGYW0RHorLzXia
snPeFvFXNGUJt/G3u5WMuVcSDLtC03fHP/ELeoO/c3edNlNIfXkRzMwkLkr5JbT9
IpcEPA3z1fThou1fi8Wv1QH3tnBdGBFcOzr/iKird4wZetRoNYov1TGSemtqmILj
Cn03YMJvUQy6wI6mpdbqiQ+vU57i9/gC6AL2RNKZY5Pp8r52FeLwv1cYtPJMJrGD
1FUHQVP3bCxhAYtZJxGw1glzkkMekmOjhh3xhHJtNPByMbh87uWtT+WzCGSbJqsq
/mYcF3LVElZu4EGkhIwUf1OU7+WGQw/l2ij2snOzXIVqfVvpwfdZygf9EcJKMoZC
qYZ0c8HMGM2YpODfPYNaKuPNWp0SIc3wuO4rVc6c52LPxygwaj1DZHBwcXfJO/aN
FQ2ZYk+j41FGsSRWGRhXdao2hGVVLgftos3tP/P83C5iYgeIJPHsb/iv1WZdgczP
lNQvOrwq+NZT1bU5uS1XTvuhO7jjOEFZG30sNS9rwedRrZ1sdNE9DlDMG4/gqyh+
A/AfHs9+gHdcS29j8EBsvxIBA89mPanCCZ6xFTM0zmOrJOs3fE4vYhPF2v+yp7JH
PAlccbE7EZYMHPtpVghQSFGg32gU4OsD8aecsAJFYXJtcttvbzwAMBvaSEqtJIwa
HPgL32YgQfAFag==
=eSnW
-----END PGP SIGNATURE-----
--yrj/dFKFPuw6o+aM--
