[47966] in North American Network Operators' Group
Re: Re[6]: "portscans" (was Re: Arbor Networks DoS defense product)
daemon@ATHENA.MIT.EDU (Ralph Doncaster)
Sun May 19 12:12:57 2002
Date: Sun, 19 May 2002 12:13:35 -0400 (EDT)
From: Ralph Doncaster <ralph@istop.com>
To: Allan Liska <allan@allan.org>
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <6590637554.20020519115915@allan.org>
Message-ID: <Pine.LNX.4.21.0205191210070.1065-100000@cpu1693.adsl.bellglobal.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> RD> I think that's pretty stupid. If I had my network admin investigate every
> RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt.
> RD> Instead we keep our servers very secure, and spend the time and effort
> RD> only when there is evidence of a break in.
>
> I didn't say investigate every portscan, I said assume every portscan
> is hostile. There is a big difference.
So you assume it's hostile and do what? Automatically block the source
IP? If you do that then you open up a bigger DOS hole. Then if someone
sends a bunch of SYN scans with the source address spoofed as your
upstream transit providers' BGP peering IP, poof! you're gone.
