North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: "portscans" (was Re: Arbor Networks DoS defense product)
Dan Hollis <[email protected]> wrote: > On Sat, 18 May 2002, Scott Francis wrote: > > On Sat, May 18, 2002 at 11:05:34PM -0400, [email protected] said: > > > attacked any host or network that I was not directly responsible for. > > > If you don't want the public portions of your network mapped then you > > > should withdraw them from public view. > > Agreed there. Defense is important. It might be good to note that I'm not > > giving a blanket condemnation of all portscans at all times; but as a GENERAL > > RULE, portscans from strangers, especially methodical ones that map out a > > network, are a precursor to some more unsavory activity. > > And what the critics keep missing is that it will take several landmine > hits across the internet to invoke a blackhole. Just scanning a few > individual hosts or /24s won't do it. > > There are three aims of the landmine project: > > 1) early warning > 2) defensive response > 3) deterrence > > I realize such a project won't be absolutely, positively perfect in every > aspect, and it won't satisfy 100% of the people 100% of the time. But > that's hardly an excuse to not do it. IMO the positives outweigh the > negatives by far. Not that this neverending thread hasn't been an absolute blast, but I was thinking maybe if I pointed out that this has been and is already being done by several commercial and non-commercial groups, we could put an end to the "landmine" discussion? For example, see, http://isc.incidents.org/top10.html For a list of naughty hosts and nets. And there are any number of commerical solutions. For example, I believe SecurityFocus's ARIS does this kind of thing, http://www.securityfocus.com/corporate/products/tmsFAQ.shtml Pretty much all of the big IS security companies do. NIDS data from various sites is shipped off to a central database where the data is crunched, and then the distilled information is pushed back out. Pretty much the same concept? -- Crist J. Clark | [email protected] | [email protected] http://people.freebsd.org/~cjc/ | [email protected]
|