[47944] in North American Network Operators' Group
Re: "portscans" (was Re: Arbor Networks DoS defense product)
daemon@ATHENA.MIT.EDU (Scott Francis)
Sat May 18 23:14:49 2002
Date: Sat, 18 May 2002 20:11:19 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: Scott Gifford <sgifford@suspectclass.com>
Cc: nanog@merit.edu
Message-ID: <20020519031119.GC69382@darkuncle.net>
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
Scott Gifford <sgifford@suspectclass.com>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="YD3LsXFS42OYHhNZ"
Content-Disposition: inline
In-Reply-To: <lyg00onc97.fsf@gfn.org>
Errors-To: owner-nanog-outgoing@merit.edu
--YD3LsXFS42OYHhNZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, May 18, 2002 at 09:43:16PM -0400, sgifford@suspectclass.com said:
[snip]
> > network to gather information or run recon if they were not planning on
> > attacking? I'm not saying that you're not right, I'm just saying that s=
o far
> > I have heard no valid non-attack reasons for portscans (other than thos=
e run
> > by network admins against their own networks).
>=20
> Before choosing an onling bank, I portscanned the networks of the
> banks I was considering. It was the only way I could find to get a
> rough assessment of their network security, which was important to me
> as a customer for obvious reasons.
In that case, I would not consider the scan to have come from an
'unaffiliated' person. I'm sure if the bank's network operator noticed it,
and contacted you, things would have been cleared up with no harm done. To
make it a bit more clear: cases where the scanner can demonstrate a good and
benign reason for scanning (they do occasionally exist[1]), no blackhole is
required. Sending an email notification prior to putting in a blackhole is a
good first step to eliminate potential false positives.
[1] Random strangers unaffiliated with your network will almost never have a
valid & benign reason for portscanning you.
> I'm not sure if I would have been impressed or annoyed if they had
> stopped accepting packets from my machine during the scan. :-)
Loss of a customer, probably. :)
--=20
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager sfrancis@ [work:] t o n o s . c o m
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
--YD3LsXFS42OYHhNZ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQIXAwUBPOcX1ogCD7rLM8ynFAMwZwf+NvZg6x28W0QMvpKXlMxyUsffdSTMnIVY
zQCPQeGyyl1qW8ADt+1jQ7N/Y/F1/wX2wxlNxfsnGcK47pEvfg2ataiBoMC5AxM8
TdtztDmHamDExwRL/wyPaCUuJgWfvpGFKIfgdNae99NpLGD6DDNiKTowsoXoXakc
TT9/s3E0YxQkPHlNK9eTkWT8fNSKM5O/GIJPt79OiGswBu34EOGT4CFvseyV58N1
rA0ZG7whNAnlBCdQtc9PEg2qp4GRC8Qe1Or/+V54fPeubT7QP3c1VQov8s1yLqzK
lwGtvWQckJf1T338NQE/jOtVJJKncjA6so8dyXA1OBC1Rx772mShywf/Yh/3XDnJ
1R4X4wE9ZmpqxkAweN4/uAyT8HHlspDmXGEYoIAXOAxzG5iqX762okVC1DAWduvF
4DpJmX8d9gUbstMFFZOy8iLgr3PLw4sGP3iyrNwYVxhL09C5K8T+ncYMdN6NkluD
wMCKcnmZf5pxC81/1sDUMYNPLO67YFG3cWbeRJ47WV9YyAg+vg4vRd0XzQGbZpiu
EelbMl66wLJILSZhyGHDkfoOem1I4r7rgDMOz6/r3YBU7tg2BtabQULNxbf/QBOc
xmrKklb5GZnSWxVDguYj2gW31f7+fGyvTSFXpMcH2MpqqamPIJ79zKsFXnPMvFm6
TGc76iyXFBdOCw==
=BAji
-----END PGP SIGNATURE-----
--YD3LsXFS42OYHhNZ--
