[47997] in North American Network Operators' Group
Re: "portscans" (was Re: Arbor Networks DoS defense product)
daemon@ATHENA.MIT.EDU (Crist J. Clark)
Mon May 20 14:03:52 2002
Date: Mon, 20 May 2002 11:03:25 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: nanog@merit.edu
Message-ID: <20020520110325.B1468@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Errors-To: owner-nanog-outgoing@merit.edu
Dan Hollis <goemon@anime.net> wrote:
> On Sat, 18 May 2002, Scott Francis wrote:
> > On Sat, May 18, 2002 at 11:05:34PM -0400, woods@weird.com said:
> > > attacked any host or network that I was not directly responsible for.
> > > If you don't want the public portions of your network mapped then you
> > > should withdraw them from public view.
> > Agreed there. Defense is important. It might be good to note that I'm not
> > giving a blanket condemnation of all portscans at all times; but as a GENERAL
> > RULE, portscans from strangers, especially methodical ones that map out a
> > network, are a precursor to some more unsavory activity.
>
> And what the critics keep missing is that it will take several landmine
> hits across the internet to invoke a blackhole. Just scanning a few
> individual hosts or /24s won't do it.
>
> There are three aims of the landmine project:
>
> 1) early warning
> 2) defensive response
> 3) deterrence
>
> I realize such a project won't be absolutely, positively perfect in every
> aspect, and it won't satisfy 100% of the people 100% of the time. But
> that's hardly an excuse to not do it. IMO the positives outweigh the
> negatives by far.
Not that this neverending thread hasn't been an absolute blast, but I
was thinking maybe if I pointed out that this has been and is already
being done by several commercial and non-commercial groups, we could
put an end to the "landmine" discussion?
For example, see,
http://isc.incidents.org/top10.html
For a list of naughty hosts and nets. And there are any number of
commerical solutions. For example, I believe SecurityFocus's ARIS does
this kind of thing,
http://www.securityfocus.com/corporate/products/tmsFAQ.shtml
Pretty much all of the big IS security companies do.
NIDS data from various sites is shipped off to a central database
where the data is crunched, and then the distilled information is
pushed back out. Pretty much the same concept?
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
