Scanning (was Re: Stealth Blocking)
Greg A. Woods
woods at weird.com
Sat May 26 16:41:16 UTC 2001
[ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
> Subject: Re: Scanning (was Re: Stealth Blocking)
> About two years ago the <vijay> promising local ISP </vijay> I worked
> for saw the number or ORBS-listed hosts withing its netspace go from ~400
> to over 3,000 in one week.
Hmmmm.... you don't say exactly, but two years ago you were probably
seeing the results of manual list entries (perhaps even entered as
netblocks). Back then you had to be really smart and look at the value
of the A RR returned from a DNS query into the database to be able to
tell the difference between a proper ORBS entry and one of the
supplemental manual entries. These days it's much more difficult to
confuse the mechanical part of ORBS with the ego part.
> Among the listings was a class C where EVERY HOST,
> 254 IPs, in the block was listed. Granted, each one was an open relay, but the
> point is that each IP was individually relay tested. When questioned about
> this, Alan Brown reponded that he had "received an unusually large number
> of nominations" for hosts in our netspace. Uh huh. Sure.
Do you have the mailer logs from those hosts?
Can you prove that there was no other unauthorised use of them during
the time *before* they were tested by ORBS?
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods at acm.org> <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>
More information about the NANOG