North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: update

  • From: Troy Davis
  • Date: Sat Sep 23 23:22:34 2000

On Sat, 23 Sep 2000, Patrick Greenwell <[email protected]> wrote:

> Can someone explain to me why it is ok to blindly scan other peoples
> networks without their permission for smurf amplifiers and post the
> results, while doing the same for SMTP servers has met with heavy
> criticism?

Honestly, it's because we haven't been issued a cease-and-desist order 
or been sued and lost.

Practically, receiving a smurf attack is more costly and bothersome than 
receiving a piece of spam.  Both are annoying but only one can wreck my 
day.  The damage caused by DoS attacks makes for more willingness to 
accept minor annoyances of scans, mostly firewalls being tripped.  That's 
the reason that receives very little criticism -- network 
administrators would rather have it than not.

On the legal front, lack of exposure plays a part.  MAPS is much better
known than all of the smurf scanning projects combined, especially to
non-technical people.

MAPS also offers RBL services that can be easily used for blocking 
traffic and, for some, that translates to lost dollars.  So the 
non-technicals count how many beans they lose from RBL and compare it 
to the beans they'd pay lawyers to sue.  At some point, RBL has enough 
users that the scale tips and a lawsuit is cost effective.  RBL annoys
lawsuit-happy folks that perhaps MAPS RSS doesn't. hasn't created a BGP blackhole announcement out of lack of
time and because, at least while some significant sites are on it, we
doubt many people would use it.  Interestingly, looking at the top
smurf-announcing ASNs, an average American backbone could block easily 
half of them and barely notice.

As far as criticism, we haven't seen much (and have received a lot of
feedback).  We regularly receive complaints about scans triggering 
firewalls, but after a reply, users understand the goal is and don't
mind.  CERT is the only group that has really been annoyed with the 
scanning, and even they seem to have stopped emailing.

Very few people are annoyed at being listed, but most of our emails go 
to admins of larger networks, not single-site admins who may think
"Gargamel" when told of smurfing.