[56230] in North American Network Operators' Group
Re: anti-spam vs network abuse
daemon@ATHENA.MIT.EDU (Roger Marquis)
Fri Feb 28 18:12:15 2003
Date: Fri, 28 Feb 2003 15:11:40 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: nanog@trapdoor.merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Richard Irving wrote
>Jack Bates wrote:(SNIPO)
>> > Should we outlaw a potentially beneficial practice due to its abuse by
>> > criminals?
>> >
>> Okay. What happens if you make a mistake and overload one of my devices
>> costing my company money.
>
> That is usually a civil issue, not criminal.
Legal considerations aside it is not good practice to scan a
subnet/server hosting dozens of websites. Typical symptoms are
slow connections to all the sites, increased memory utilization,
and error logs like the following:
[Wed Feb 26 02:14:57 2003] [info] server seems busy, (you
may need to increase StartServers, or Min/MaxSpareServers),
spawning 26 children, there are 60 idle, and 88 total
children
As a result the ISP must either A) purchase more RAM, faster CPUs,
and additional servers, or B) run the risk of complaints and lost
customer goodwill. All of this costs time and money.
The best mitigation is to set a _slow_ scan rate but even that can
still get you blacklisted by a well designed NIDS.
Given the potential cost to third parties it's difficult to see any
case for netscanning, regardless of the scanner's rational.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
