Scanning (was Re: Stealth Blocking)

Joseph T. Klein jtk at
Thu May 24 14:16:12 UTC 2001

20% of Internet bandwidth utilization is from scanning ...
                                         -- Another made up statistic.


The elephant is getting hurt by the blind men.

How do I differentiate a "white hat" scan from a "black hat" scan?

I don't mind people like Bill Manning who send out polite notification
before scanning my DNS but general network scanning is starting to get

By my count the average random scans come at least 4 times a week.

What is the effect of scanning the whole operational address space
four times a week?

At 08:52 -0400 24-05-2001, William Allen Simpson wrote:
>Actually, scanning is an important security tool.  It is also an
>important network monitoring tool.
>Over the years, we've used scanning to determine the density of IP
>address assignment, in-addr propagation, and other operational issues.
>Recently, the OpenSSH project has been doing random probes to determine
>the numbers and versions of SSH, and sequential probes in selected
>address space to warn operators of vulnerable early versions.
>In general, scanning should be done regularly.  If not by the affected
>network operator, then by the targets that have been contacted by the
>affected network.
>I _do_ accept that a connected Internet means that anybody may scan
>anybody else's network.  In fact, it is a natural consequence.
>There is nothing wrong with scanning.
>(The problem with ORBS was not the scanning, but rather the aggressive
>nature of the scanner, and the belligerence of the operator.  Denial of
>service is a different kettle of fish.)
>David Schwartz wrote:
>>  Jon Lewis wrote:
>>  > What's so bad about pre-emptive open-relay scanning?  What's the
>>  > difference between an open-relay found/used by a spammer and added to the
>>  > RSS and an open-relay found by pre-emptive scanner and added to the RSS?
>>  > Both sites are likely sources of relay spam.
>>          What's so bad about pre-emptive open-relay scanning is 
>>that if you feel
>>  that is justified, you pretty much have accepted that anybody who pleases
>>  may scan anybody else's network for any weakness he or she would like to
>>  probe for. And if someone else probed 40,000 of your hosts each for 500
>>  vulnerabilitise, you would have to accept the probers answer that there's
>>  nothing wrong with pre-emptive scanning. After all, if someone else gets
>>  root on your system, it's a potential threat to him. I am not happy with
>>  that result.

Joseph T. Klein                                         +1 414 915 7489
Senior Network Engineer                                 jtk at
Adelphia Business Solutions                joseph.klein at

     "... the true value of the Internet is its connectedness ..."
                                                  -- John W. Stewart III

More information about the NANOG mailing list