"portscans" (was Re: Arbor Networks DoS defense product)

Greg A. Woods woods at weird.com
Sun May 19 22:03:02 UTC 2002


[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ]
> Subject: RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
>
> If you separate the pointless argument about the hostility of portscans
> and the viability of a distributed landmine system, this may turn out to
> be a useful discussion in the end.  I mean--we all know portscans are
> hardly the ideal trigger anyhow.  On top of the potential ambiguity of
> their intention, they are also difficult to reliably detect.  
> 
> The distributed landmine tied to subscription blackhole ala RBL may very
> well have significant positive attributes that are being drowned out due
> to the portscan debate.  Obviously the vast majority in the spam world
> think RBL and/or ORBS have merit, despite the vocal complaints.  Why not
> discuss viable alternative trigger methods instead of whining about
> portscans?

Well, there is still the issue of discovering the intent of a scan,
regardless of how many landmines have to be triggered before a
blackhole listing is put in place.

Such technology is very dangerous if automated.  Anyone with sufficient
intelligence to find enough of the landmine systems could probably also
figure out how to trigger them in such a way as to DoS any random host
or network at will (assuming enough networks to matter used the listing
service in real time).  Unless there's also a sure-fire automated way of
quickly revoking such a black list entry, as well as a free
white-listing service, the consequences are far too dire to earn my
support.

On the other hand SMTP open relay blackholes are easy to prove and
usually easy enough to fix and get de-listed from.  Even the Spamcop
realtime DNS list "bl.spamcop.net" is pretty hard to trick, and of
course it's not really widely enough used that getting listed there is
all that disruptive (apparently, since listed sites keep sending spam
with no apparent degradation in their throughput).

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>



More information about the NANOG mailing list