[59084] in North American Network Operators' Group
rr style scanning of non-customers
daemon@ATHENA.MIT.EDU (Kuhtz, Christian)
Fri Jun 13 22:14:27 2003
From: "Kuhtz, Christian" <christian.kuhtz@bellsouth.com>
To: nanog@nanog.org
Date: Fri, 13 Jun 2003 21:13:53 -0500
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C3321A.9A5A1800
Content-Type: text/plain
Hey gang,
Some ISPs, such as RR, appear to be implementing what I personally would
consider quite aggressive approaches to guarding their network by
implementing "proactive" scanning of non-customers, similar to what's
described at
http://security.rr.com/probing.htm <http://security.rr.com/probing.htm>
In this case, sending email to @rr.com appears to trigger this scanning
business (mind you, this is not about the scanning their subs biz; I don't
care to get into that in this thread).
But, the question is.. How many people here are doing this sort of thing?
And where does this stop, short of nmapping the entire box?
Some time ago, when Code Red first came around, discussions raged as to how
to deal with it and other infestations of customer owned/operated equipment.
And this kind of is a different slant on the same issue. Except that it
goes quite a bit further than your own prefixes.
I'm not looking to start a flamewar, I'm interested in a discussion or
consensus discovery of how far "proactive" tasks can/should/shouldn't go.
Regards,
Christian
*****
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."
------_=_NextPart_001_01C3321A.9A5A1800
Content-Type: text/html
<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{font-family:"Courier New";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Hey gang,</span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Some ISPs, such as RR, appear to be implementing
what I personally would consider quite aggressive approaches to guarding their
network by implementing "proactive" scanning of non-customers, similar
to what's described at</span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> <a
href="http://security.rr.com/probing.htm">http://security.rr.com/probing.htm</a></span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>In this case, sending email to @rr.com appears to trigger
this scanning business (mind you, this is not about the scanning their subs
biz; I don't care to get into that in this thread). </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>But, the question is.. How many people here are
doing this sort of thing? And where does this stop, short of nmapping the
entire box?</span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Some time ago, when Code Red first came around,
discussions raged as to how to deal with it and other infestations of customer
owned/operated equipment. And this kind of is a different slant on the
same issue. Except that it goes quite a bit further than your own
prefixes.</span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>I'm not looking to start a flamewar, I'm
interested in a discussion or consensus discovery of how far "proactive"
tasks can/should/shouldn't go.</span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Regards,</span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Christian</span></font></p>
<p class=MsoNormal><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> </span></font></p>
</div>
</body>
</html>
<BR>
<BR>
<P><B><I><FONT SIZE=2 FACE="Arial">*****</FONT></I></B></P>
<P><B><I><FONT SIZE=2 FACE="Arial">"The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers."</FONT></I></B></P>
------_=_NextPart_001_01C3321A.9A5A1800--
