Re: portscans (was Re: Arbor Networks DoS defense product)
In the immortal words of Mitch Halmu ([EMAIL PROTECTED]): (Rev. Martin Niemoller, 1945) Congratulations, Mitch, you have done what many of us would have considered impossible: you have surpassed your own previous high-water mark for tasteless, self-involved bullshit. (Which, for the short-of-memory, was when you used the 9/11 attacks as justification for demanding that MAPS be turned off.) My dead relatives have nothing to do with your desire to run an open relay with no consequences. Kindly go fuck yourself. -n p.s. cc'ed to nanog-request: please consider this to be yet another request to have Mitch removed from this list. p.p.s. I believe this counts as a Godwin invocation. Thread closed. --[EMAIL PROTECTED] The life of a sysadmin is always intense. http://blank.org/memory/--
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 16:30:48 (-0700), Dan Hollis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) On Sun, 19 May 2002, Greg A. Woods wrote: Such technology is very dangerous if automated. And if its not? If it's not an automated system then it's only as dangerous as the person(s) controlling it, plus whatever propensity they have for making unintended errors that would not be made by a properly tested automatic system -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: portscans (was Re: Arbor Networks DoS defense product)
Ralph Doncaster [EMAIL PROTECTED] writes: I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination. sarcasm And why, pray tell, would some stranger be carrying a concealed gun if they were not planning on shooting someone? /sarcasm Maybe there is a difference between carrying a concealed portscanner and actually using one? --Johnny
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, 18 May 2002, Scott Francis wrote: On Sat, May 18, 2002 at 11:05:34PM -0400, [EMAIL PROTECTED] said: attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view. Agreed there. Defense is important. It might be good to note that I'm not giving a blanket condemnation of all portscans at all times; but as a GENERAL RULE, portscans from strangers, especially methodical ones that map out a network, are a precursor to some more unsavory activity. And what the critics keep missing is that it will take several landmine hits across the internet to invoke a blackhole. Just scanning a few individual hosts or /24s won't do it. There are three aims of the landmine project: 1) early warning 2) defensive response 3) deterrence I realize such a project won't be absolutely, positively perfect in every aspect, and it won't satisfy 100% of the people 100% of the time. But that's hardly an excuse to not do it. IMO the positives outweigh the negatives by far. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, May 18, 2002 at 11:46:21PM -0400, [EMAIL PROTECTED] said: [ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) Apologies; my finger was a bit too quick on the 'g'. As this message came to the list, I will assume it is safe to cc the list on my reply. Sorry about that last. Apology accepted, but I strongly recommend you learn to use some more reliable mail reader software -- something that doesn't accidentally invent reply addresses! There was no hint that my message to you was in any way associated with the NANOG list -- it was delivered directly to you and CC'd only to the person you were responding to. Some outside influence had to have associated it with having been a reply to a list posting and connected your desire to reply with inclusion of the list submission address. According to your reply's headers you're using Mutt-1.3.25i, and according to the Mutt manual 'g' is the group-reply command. I don't find any hint in the description of that command to indicate that it will magically associate a given message with a list, especially one that was not received from the list. Even the 'list-reply' command should not be able to associate a private reply with the list address. If Mutt really does magically associate private replies with list addresses by some mysterious mechanism then it's even more broken than I suspected. It doesn't. I cc'd the list because I thought the message to be germaine to the public thread, and no mention was made of the message being private. That was a misstep on my part, for which I apologize, and that was what I meant by a little too quick on the 'g'. I will in the future assume all replies not cc'd to the list to be private, or else get permission before cc'ing the list on a reply. Mea culpa. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01932/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, May 19, 2002 at 12:12:01AM -0700, [EMAIL PROTECTED] said: [snip] And what the critics keep missing is that it will take several landmine hits across the internet to invoke a blackhole. Just scanning a few individual hosts or /24s won't do it. There are three aims of the landmine project: 1) early warning 2) defensive response 3) deterrence I realize such a project won't be absolutely, positively perfect in every aspect, and it won't satisfy 100% of the people 100% of the time. But that's hardly an excuse to not do it. IMO the positives outweigh the negatives by far. This is what I have been (unsuccessfully) attempting to state. I apparently need more practice in being coherent. :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01933/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On 18 May 2002, Scott Gifford wrote: Scott Francis [EMAIL PROTECTED] writes: [...] And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. I would argue that this is not good practice and you dont have the right to intrude on the workings of the banks network just because you have the technology to do so.. if a telnet port was open would you also check that you were unable to brute force your way in? That is to say.. what exactly were you hoping to find and then do with the results? I'd also say your reason for this is void, its not your responsibility to assess the bank's security. If they screw up they have insurance and you're not at risk. I'm not sure if I would have been impressed or annoyed if they had stopped accepting packets from my machine during the scan. :-) But surely if all their prospects do this they will not be able to handle the volume of attacks and will be unable to keep up with blocking the more minor benign scans. And you as a customer ought to prefer their time is spent on legitimate attacks which means no one scans then 'for good reasons' and all scans are therefore malicious and worthy of investigating... Steve -ScottG.
Re: portscans (was Re: Arbor Networks DoS defense product)
I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination. a full-blown portscan is not required here. A simple telnet to port 80 will do the job. A simple telnet to port 80 will sometimes do the job, but often not. And even your statement a full-blown portscan is not required concedes that a portscan will work in making this determination.
Re: portscans (was Re: Arbor Networks DoS defense product)
rough assessment of their network security, which was important to me as a customer for obvious reasons. In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To It sounds like you know something that I don't. How do you find out the contact information for someone given only an IP address? -Ralph
Re: Re[2]: portscans (was Re: Arbor Networks DoS defense product)
RD I often like to know if a particular web server is running Unix or RD Winblows. A port scanner is a useful tool in making that determination. [allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8 Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... -Ralph
Re[4]: portscans (was Re: Arbor Networks DoS defense product)
Hello Ralph, Sunday, May 19, 2002, 10:50:23 AM, you wrote: RD I often like to know if a particular web server is running Unix or RD Winblows. A port scanner is a useful tool in making that determination. [allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8 RD Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... As I think Eddy already mentioned, you can try Netcraft. Of course in the cases of Yahoo and CNN you have an Akamai factor...though CNN does return some useful information: telnet www.cnn.com 80 Trying 207.25.71.20... Connected to www1.cnn.com (207.25.71.20). Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Server: Netscape-Enterprise/4.1 Date: Sun, 19 May 2002 14:58:55 GMT Last-modified: Sun, 19 May 2002 14:58:55 GMT Expires: Sun, 19 May 2002 14:59:55 GMT Cache-control: private,max-age=60 Content-type: text/html Connection: close And, you can also try the direct approach: e-mail the webmaster and ask :). I guess the point I am trying to make is that there are ways of finding out this information without having to resort to portscans. The example of bank is a very good one. With all of the security risks involved in managing a web server, and the associated database, it seems very important to ask the bank for an explanation of the steps they have taken to secure their website, and their customer database. If they don't give a satisfactory bank somewhere else (or offer your services ;)). Certainly that is a better approach than scanning to see what you can find out. The organization receiving the scan has no way of knowing what your intentions are -- and should interpret them as hostile. allan -- allan [EMAIL PROTECTED] http://www.allan.org
Re: Re[4]: portscans (was Re: Arbor Networks DoS defense product)
If they don't give a satisfactory bank somewhere else (or offer your services ;)). Certainly that is a better approach than scanning to see what you can find out. The organization receiving the scan has no way of knowing what your intentions are -- and should interpret them as hostile. I think that's pretty stupid. If I had my network admin investigate every portscan, my staff costs would go up 10x and I'd quickly go bankrupt. Instead we keep our servers very secure, and spend the time and effort only when there is evidence of a break in.
Re: Re[2]: portscans (was Re: Arbor Networks DoS defense product)
On 07:50 AM 5/19/02, Ralph Doncaster wrote: RD I often like to know if a particular web server is running Unix or RD Winblows. A port scanner is a useful tool in making that determination. [allan@ns1 phpdig]$ telnet www.istop.com 80 Trying 216.187.106.194... Connected to dci.doncaster.on.ca (216.187.106.194). Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 19 May 2002 01:47:57 GMT Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8 Sure, it works on some servers, but try it on yahoo.com, cnn.com, ... http://uptime.netcraft.com/up/graph/?mode_u=offmode_w=onsite=www.cnn.com Works for me, works from any system that has a browser. At any given time I'm *far* more likely to have a browser running than port scanning software, so this solution is also IMHO faster. jc
Re: Re[6]: portscans (was Re: Arbor Networks DoS defense product)
RD I think that's pretty stupid. If I had my network admin investigate every RD portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD Instead we keep our servers very secure, and spend the time and effort RD only when there is evidence of a break in. I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference. So you assume it's hostile and do what? Automatically block the source IP? If you do that then you open up a bigger DOS hole. Then if someone sends a bunch of SYN scans with the source address spoofed as your upstream transit providers' BGP peering IP, poof! you're gone.
Re: Re[2]: portscans (was Re: Arbor Networks DoS defense product)
http://uptime.netcraft.com/up/graph/?mode_u=offmode_w=onsite=www.cnn.com Works for me, works from any system that has a browser. At any given time I'm *far* more likely to have a browser running than port scanning software, so this solution is also IMHO faster. Until today netcraft listed agamemnon.cnchost.com as unknown. I ran nmap to see what it says, so I guess you should assume I'm hostile. ;-) Interesting ports on agamemnon.cnchost.com (207.155.252.31): (The 1519 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 25/tcp opensmtp 80/tcp openhttp 110/tcpopenpop-3 TCP Sequence Prediction: Class=truly random Difficulty=999 (Good luck!) No OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: TSeq(Class=TR) T1(Resp=Y%DF=Y%W=6045%ACK=S++%Flags=AS%Ops=NWM) T2(Resp=N) T3(Resp=N) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N)
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 03:16:28 (-0700), Dan Hollis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) On 18 May 2002, Scott Gifford wrote: Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. So for your offline banks, do you also go to the local branches at night and jiggle all the locks to make sure their doors and windows are locked? That analogy is fundamentaly flawed. For one the Interent is never locked after hours -- there is no after hours, it's always open! There are also no sign posts at every router on the Internet. The only sign-posts are the responses you get from trying a given door -- either it opens or it doesn't. Unless you actually try to go somewhere in TCP/IP-land you won't know whether or not you can get there. A good firewall makes it appear for all intents and purposes that there's no door handle to wiggle in the first place. -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 11:22:08 (-0400), Ralph Doncaster wrote: ] Subject: Re: Re[4]: portscans (was Re: Arbor Networks DoS defense product) I think that's pretty stupid. If I had my network admin investigate every portscan, my staff costs would go up 10x and I'd quickly go bankrupt. Indeed -- and we can only hope. I know a few companies who actually do that, and sometimes their policies about how they do it are so broken they refuse to acknowledge the difference between the likes of a squid cache server just doing its job and a compromised Windoze box scanning for web servers. :-) -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re[8]: portscans (was Re: Arbor Networks DoS defense product)
Hello Ralph, Sunday, May 19, 2002, 12:13:35 PM, you wrote: RD I think that's pretty stupid. If I had my network admin investigate every RD portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD Instead we keep our servers very secure, and spend the time and effort RD only when there is evidence of a break in. I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference. RD So you assume it's hostile and do what? Automatically block the source RD IP? If you do that then you open up a bigger DOS hole. Then if someone RD sends a bunch of SYN scans with the source address spoofed as your RD upstream transit providers' BGP peering IP, poof! you're gone. You do the same thing you do with any attack: Log the information and take appropriate action. If you are constantly getting scanned from one netblock, you should be aware of that, the only way to be aware of it is to keep a record of all port scans. A portscan may be innocent, though I agree with those who have said previously that most posrtscans are not innocent, in which case it gets filed away into a database and forgotten. However, if the same network is continuously portscanning your network that network should be stopped. This whole process can be automated, so that it does not involve manual intervention...but don't you think a good network administrator should know what is happening to their network? And, since there is no way to distinguish an innocent portscan from one that is a precursor to an attack, wouldn't it make sense to keep track of all portscans? allan -- allan [EMAIL PROTECTED] http://www.allan.org
Re: portscans (was Re: Arbor Networks DoS defense product)
Stephen J. Wilcox [EMAIL PROTECTED] writes: On 18 May 2002, Scott Gifford wrote: Scott Francis [EMAIL PROTECTED] writes: [...] And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. I would argue that this is not good practice and you dont have the right to intrude on the workings of the banks network just because you have the technology to do so.. if a telnet port was open would you also check that you were unable to brute force your way in? That is to say.. what exactly were you hoping to find and then do with the results? I'm not arguing it's good practice. I'm giving it as an example of a reason why somebody might scan your network, even though they were not planning on attacking. ScottG.
RE: portscans (was Re: Arbor Networks DoS defense product)
Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. [snip] I'm not arguing it's good practice. I'm giving it as an example of a reason why somebody might scan your network, even though they were not planning on attacking. Even then, its not really effective. Most compromises I have read about to major banking providers is from someone at a business partner or something inside the business indirectly related to the web service being compromised and then the internal network and any inherit trust relationships being compromised. Very rarely is it something super-obvious like an open service with a default password (but I'm sure there are notable exceptions). So a portscan of their forward netblocks isn't really a 'test' of their network security, imo. - James
Re: portscans (was Re: Arbor Networks DoS defense product)
We maintain most comprehensive whois recursive engine tool at completwhois.com So you could also try this and get more info :) [support@sokol support]$ whois -h completewhois.com 207.99.113.65 [completewhois.com] [whois.arin.net] Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10E, Suite 111 Parsippany, NJ 07054 US Netname: NAC-NETBLK01 Netblock: 207.99.0.0 - 207.99.127.255 Maintainer: NAC Coordinator: Net Access Corporation (ZN77-ARIN) [EMAIL PROTECTED] 800-638-6336 Domain System inverse mapping provided by: NS1.NAC.NET 207.99.0.1 NS2.NAC.NET 207.99.0.2 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE * Reassignment information for this network is available * at whois.nac.net 43 Record last updated on 22-Aug-2001. Database last updated on 18-May-2002 19:58:45 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. [WHOIS.NAC.NET] NAC-Rwhoisd32 Server Ready - [silver/43] Rwhoisd32 v1.0.36 Net Access Corp. (NETBLK-NET-CF637140-28) PO Box 55 Denville, NJ 07834 USA Netname : NET-CF637140-28 Netblock: 207.99.113.64/28 Coordinator: Rubenstein, Alex [EMAIL PROTECTED] Database updated instantaneously. This Registration Services Host contains ONLY Net Access Corporation Network Information. Please use the whois server at whois.arin.net for networks not found here. On Sun, 19 May 2002, Alex Rubenstein wrote: helium:~$ whois -a 207.99.113.65 Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10E, Suite 111 Parsippany, NJ 07054 US Netname: NAC-NETBLK01 Netblock: 207.99.0.0 - 207.99.127.255 Maintainer: NAC Coordinator: Net Access Corporation (ZN77-ARIN) [EMAIL PROTECTED] 800-638-6336 Domain System inverse mapping provided by: NS1.NAC.NET 207.99.0.1 NS2.NAC.NET 207.99.0.2 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE * Reassignment information for this network is available * at whois.nac.net 43 On Sun, 19 May 2002, Ralph Doncaster wrote: rough assessment of their network security, which was important to me as a customer for obvious reasons. In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To It sounds like you know something that I don't. How do you find out the contact information for someone given only an IP address? -Ralph -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: portscans (was Re: Arbor Networks DoS defense product)
That's a netblock, not an IP address. Your script kiddie at home with a cable modem or ADSL connection is not going to have his IP SWIP'd or populated in his ISP's rwhois server. Try that with 206.47.27.12 for instance. That is a Sympatico ADSL customer here in Ottawa. Ralph Doncaster principal, IStop.com div. of Doncaster Consulting Inc. On Sun, 19 May 2002, Alex Rubenstein wrote: helium:~$ whois -a 207.99.113.65 Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10E, Suite 111 Parsippany, NJ 07054 US Netname: NAC-NETBLK01 Netblock: 207.99.0.0 - 207.99.127.255 Maintainer: NAC Coordinator: Net Access Corporation (ZN77-ARIN) [EMAIL PROTECTED] 800-638-6336 Domain System inverse mapping provided by: NS1.NAC.NET 207.99.0.1 NS2.NAC.NET 207.99.0.2 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE * Reassignment information for this network is available * at whois.nac.net 43 On Sun, 19 May 2002, Ralph Doncaster wrote: rough assessment of their network security, which was important to me as a customer for obvious reasons. In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To It sounds like you know something that I don't. How do you find out the contact information for someone given only an IP address? -Ralph -- Alex Rubenstein, AR97, K2AHR, [EMAIL PROTECTED], latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Re[8]: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ] Subject: Re[8]: portscans (was Re: Arbor Networks DoS defense product) However, if the same network is continuously portscanning your network that network should be stopped. Unless you're also a tier-1 kind of provider you don't usually get to control the AUP for other networks unrelated to your own. How do you propose to resolve a fundamental conflict between your own users need to access the content on a network that also happens to be regularly scanning your network? Unless real damage is done you probably don't even have any recourse under the law, even if you do happen to be in the same jurisdiction (and heaven help us should any such recourse ever become possible in the free world!). Unless you expect to be vulnerable to attack and thus really need to have a record of past scans in case they can be used in evidence; or maybe unless you're doing research into scanning activities; even keeping long-term logs of all scans becomes more of a burden than it's worth. You will be scanned. Resistance is futile! I.e. get over it! ;-) (Actually, that's not as bad of an analogy -- look at how active scans are handled in science fiction, such as in Star Trek. Sometimes they're treated as hostile, sometimes not. Scans aren't just used to target weapons -- they're also used to detect life signs on rescue missions! Certainly unless the captain is scared witless he or she has never held back on doing an active scan when information is needed, and when he or she is scared of detection a variety of stealth scans are often still attempted.) -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
RE: Re[8]: portscans (was Re: Arbor Networks DoS defense product)
If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect. The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans? Cheers, Benjamin P. Grubin, CISSP, GIAC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg A. Woods Sent: Sunday, May 19, 2002 4:48 PM To: North America Network Operators Group Mailing List Subject: Re: Re[8]: portscans (was Re: Arbor Networks DoS defense product) [ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ] Subject: Re[8]: portscans (was Re: Arbor Networks DoS defense product) However, if the same network is continuously portscanning your network that network should be stopped. Unless you're also a tier-1 kind of provider you don't usually get to control the AUP for other networks unrelated to your own. How do you propose to resolve a fundamental conflict between your own users need to access the content on a network that also happens to be regularly scanning your network? Unless real damage is done you probably don't even have any recourse under the law, even if you do happen to be in the same jurisdiction (and heaven help us should any such recourse ever become possible in the free world!). Unless you expect to be vulnerable to attack and thus really need to have a record of past scans in case they can be used in evidence; or maybe unless you're doing research into scanning activities; even keeping long-term logs of all scans becomes more of a burden than it's worth. You will be scanned. Resistance is futile! I.e. get over it! ;-) (Actually, that's not as bad of an analogy -- look at how active scans are handled in science fiction, such as in Star Trek. Sometimes they're treated as hostile, sometimes not. Scans aren't just used to target weapons -- they're also used to detect life signs on rescue missions! Certainly unless the captain is scared witless he or she has never held back on doing an active scan when information is needed, and when he or she is scared of detection a variety of stealth scans are often still attempted.) -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ] Subject: RE: Re[8]: portscans (was Re: Arbor Networks DoS defense product) If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect. The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans? Well, there is still the issue of discovering the intent of a scan, regardless of how many landmines have to be triggered before a blackhole listing is put in place. Such technology is very dangerous if automated. Anyone with sufficient intelligence to find enough of the landmine systems could probably also figure out how to trigger them in such a way as to DoS any random host or network at will (assuming enough networks to matter used the listing service in real time). Unless there's also a sure-fire automated way of quickly revoking such a black list entry, as well as a free white-listing service, the consequences are far too dire to earn my support. On the other hand SMTP open relay blackholes are easy to prove and usually easy enough to fix and get de-listed from. Even the Spamcop realtime DNS list bl.spamcop.net is pretty hard to trick, and of course it's not really widely enough used that getting listed there is all that disruptive (apparently, since listed sites keep sending spam with no apparent degradation in their throughput). -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, 19 May 2002, Mitch Halmu wrote: On Sun, 19 May 2002, Greg A. Woods wrote: Such technology is very dangerous if automated. And if its not? Quis custodiet ipsos custodes? Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace of super heroes, bent on ruling over the masses. The titans of blackholing, carving out a fiefdom for themselves, with powers of disrupting the connectivity of any network they so chose. You anger some net.warlord, and your network disappears. What is it that turns a technocracy into idolaters? Just to put mitch's rant into perspective for unfamiliar nanog readers: http://work-rss.mail-abuse.org/cgi-bin/nph-rss?query=205.159.140.2 netside has been a long time lunatic opponent of RBLs -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. (Rev. Martin Niemoller, 1945) --Mitch NetSide
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. Me, I will give them a nice color map to your house. Shiksaa was kind enough to point out a picture of you. I know that I really shouldn't do this, but. http://63.117.95.227/kooks/mitch.html Mike - opinions are definitely just mine and mine alone.
Re: portscans (was Re: Arbor Networks DoS defense product)
From: Mitch Halmu [EMAIL PROTECTED] Date: 2002/05/19 Sun PM 11:32:20 EDT To: Dan Hollis [EMAIL PROTECTED] CC: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs Wait for it... wait for it... here it comes... First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. (Rev. Martin Niemoller, 1945) --Mitch NetSide SCORE!!! And the point is awarded to Dan!
Re: portscans (was Re: Arbor Networks DoS defense product)
TA Date: Mon, 20 May 2002 0:50:58 -0400 TA From: Tim A.Irwin TA Wait for it... wait for it... here it comes... TA SCORE!!! And the point is awarded to Dan! Close enough to call it a Godwin? ;-) -- Eddy Brotsman Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to [EMAIL PROTECTED], or you are likely to be blocked.
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, May 19, 2002 at 10:02:26PM -0400, [EMAIL PROTECTED] said: [snip] Such technology is very dangerous if automated. And if its not? Quis custodiet ipsos custodes? Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace of super heroes, bent on ruling over the masses. The titans of blackholing, carving out a fiefdom for themselves, with powers of disrupting the connectivity of any network they so chose. You anger some net.warlord, and your network disappears. No. You attack or spam some other network, and said network's operator can take action as appropriate to that network. Such action may include that network refusing to accept future traffic from the offending network until the problem is resolved. I don't see how this rates as 'ruling over the masses' - it becomes, as it always has been, individual network operators deciding how best to run their networks, as they see fit. My decisions apply to my network, and nobody else's. Or are you saying that network operators should not be trusted to run their networks as they see fit? Who then makes the rules? What is it that turns a technocracy into idolaters? What is it that turns the decision of an individual network operator into a rant about political ideology? -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01970/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sun, May 19, 2002 at 11:32:20PM -0400, [EMAIL PROTECTED] said: On Sun, 19 May 2002, Dan Hollis wrote: netside has been a long time lunatic opponent of RBLs First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. That's close enough to Godwin for me. Next discussion, please. Then they came for the Catholics, and I didn't speak up, because I was a Protestant. Then they came for me, and by that time there was no one left to speak up for me. (Rev. Martin Niemoller, 1945) --Mitch NetSide -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01971/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, May 18, 2002 at 05:25:27PM -0400, [EMAIL PROTECTED] said: [ On Saturday, May 18, 2002 at 13:48:27 (-0700), Scott Francis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) However a portscan is not an attack. Precursor to an attack, certainly. B.S. A plain old port or IP scan is nothing more than an information gathering excercise. Unless you're the one running it you almost certainly have no clue whatsoever why it was started. (Unless you can prove somehow that the scan pattern and/or packets matches a signature that's proven to be _unique_ to some known attack tool.) And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01907/pgp0.pgp Description: PGP signature
Re: Re[2]: portscans (was Re: Arbor Networks DoS defense product)
AL Date: Sat, 18 May 2002 21:50:34 -0400 AL From: Allan Liska AL [allan@ns1 phpdig]$ telnet www.istop.com 80 AL Trying 216.187.106.194... AL Connected to dci.doncaster.on.ca (216.187.106.194). AL Escape character is '^]'. AL HEAD / HTTP/1.0 Or lynx http://www.istop.com/ and press the '=' key for similar info. Or echo the HEAD request to a program that opens a TCP socket. Or go to www.netcraft.com. Of course, firewalls munching on TCP/IP can screw up IP stack fingerprinting, causing nmap et al. to report IIS on favorite *ix flavor when it really means IIS on ??? behind firewall running favorite *ix flavor. I wonder how many people enjoy recompiling their *ix httpd to report itself as IIS? Watch for requests matching certain IDS strings... what was that again about mad fast honeypots? ;-) -- Eddy Brotsman Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence ~ Date: Mon, 21 May 2001 11:23:58 + (GMT) From: A Trap [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to [EMAIL PROTECTED], or you are likely to be blocked.
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). I scan networks and hosts very regularly for legitimate diagnostic purposes as well as occasionally for curiosity's sake. I've never attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view. BTW, please be one heck of a lot more careful with your replies. My original reply to you was not copied to the list and I did not give you permission to post a response quoting my words back to the list. -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, May 18, 2002 at 07:17:43PM -0400, [EMAIL PROTECTED] said: [snip] network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). I often like to know if a particular web server is running Unix or Winblows. A port scanner is a useful tool in making that determination. a full-blown portscan is not required here. A simple telnet to port 80 will do the job. sarcasm And why, pray tell, would some stranger be carrying a concealed gun if they were not planning on shooting someone? /sarcasm Show me how to defend myself from attack by portscanning the networks of random strangers, and I will concede the point. :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01924/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, May 18, 2002 at 09:43:16PM -0400, [EMAIL PROTECTED] said: [snip] network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). Before choosing an onling bank, I portscanned the networks of the banks I was considering. It was the only way I could find to get a rough assessment of their network security, which was important to me as a customer for obvious reasons. In that case, I would not consider the scan to have come from an 'unaffiliated' person. I'm sure if the bank's network operator noticed it, and contacted you, things would have been cleared up with no harm done. To make it a bit more clear: cases where the scanner can demonstrate a good and benign reason for scanning (they do occasionally exist[1]), no blackhole is required. Sending an email notification prior to putting in a blackhole is a good first step to eliminate potential false positives. [1] Random strangers unaffiliated with your network will almost never have a valid benign reason for portscanning you. I'm not sure if I would have been impressed or annoyed if they had stopped accepting packets from my machine during the scan. :-) Loss of a customer, probably. :) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01925/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
On Sat, May 18, 2002 at 11:05:34PM -0400, [EMAIL PROTECTED] said: [ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) And why, pray tell, would some unknown and unaffiliated person be scanning my network to gather information or run recon if they were not planning on attacking? I'm not saying that you're not right, I'm just saying that so far I have heard no valid non-attack reasons for portscans (other than those run by network admins against their own networks). I scan networks and hosts very regularly for legitimate diagnostic purposes as well as occasionally for curiosity's sake. I've never Legitimate diagnostic purposes would mean that you would not fall into the category of unknown and unaffiliated. Curiosity's sake, well ... depends on whose network it is. attacked any host or network that I was not directly responsible for. If you don't want the public portions of your network mapped then you should withdraw them from public view. Agreed there. Defense is important. It might be good to note that I'm not giving a blanket condemnation of all portscans at all times; but as a GENERAL RULE, portscans from strangers, especially methodical ones that map out a network, are a precursor to some more unsavory activity. BTW, please be one heck of a lot more careful with your replies. My original reply to you was not copied to the list and I did not give you permission to post a response quoting my words back to the list. Apologies; my finger was a bit too quick on the 'g'. As this message came to the list, I will assume it is safe to cc the list on my reply. Sorry about that last. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01926/pgp0.pgp Description: PGP signature
Re: portscans (was Re: Arbor Networks DoS defense product)
[ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ] Subject: Re: portscans (was Re: Arbor Networks DoS defense product) Apologies; my finger was a bit too quick on the 'g'. As this message came to the list, I will assume it is safe to cc the list on my reply. Sorry about that last. Apology accepted, but I strongly recommend you learn to use some more reliable mail reader software -- something that doesn't accidentally invent reply addresses! There was no hint that my message to you was in any way associated with the NANOG list -- it was delivered directly to you and CC'd only to the person you were responding to. Some outside influence had to have associated it with having been a reply to a list posting and connected your desire to reply with inclusion of the list submission address. According to your reply's headers you're using Mutt-1.3.25i, and according to the Mutt manual 'g' is the group-reply command. I don't find any hint in the description of that command to indicate that it will magically associate a given message with a list, especially one that was not received from the list. Even the 'list-reply' command should not be able to associate a private reply with the list address. If Mutt really does magically associate private replies with list addresses by some mysterious mechanism then it's even more broken than I suspected. -- Greg A. Woods +1 416 218-0098; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Planix, Inc. [EMAIL PROTECTED]; VE3TCP; Secrets of the Weird [EMAIL PROTECTED]
Re: Arbor Networks DoS defense product
On Thu, 16 May 2002, Dragos Ruiu wrote: But that said. Blackholing as a response for portscanning is stupid. If you are a small communications end-point it's dumb. Just run portsentry for a while with auto-firewall rules if you need convincing. If you are a communications service provider providing packet transit for others (even employees), it's hostile. What if you are portscanned repeatedly by a network and that network refuses to shut down their scanners even after being asked many times (eg, rogue chinese and korean networks) I think that you should leave network policy up to the service provider to decide. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Thu, 16 May 2002 14:44:58 PDT, Dan Hollis said: On Thu, 16 May 2002, Dragos Ruiu wrote: I can't help it if your host does funny things when I send them funny packets :-) Why are you sending funny packets? Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often considered funny packets. http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-04.txt -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg01838/pgp0.pgp Description: PGP signature
Re: Arbor Networks DoS defense product
On Thu, May 16, 2002 at 02:44:58PM -0700, Dan Hollis DH said, in response to a message on Thu, 16 May 2002 by Dragos Ruiu DR: DR Some people are get all hyper and complain. Which is silly imho. DR If you don't like it, stop your network from responding to it. DH Thats exactly what we plan to do with BGP blackholes and landmines. DR Don't bitch and whine if your equipment is silly and leaks info. It's DR not the world's problem to compensate for _your_ inferior network DR architecture or shoddily designed network hardware. DH Then you shouldnt be whining about a BGP blackhole system. DR Portscanning by no means proves intent. Or should provoke hostile DR reaction. WRONG. Time to retake Logic 101 and Ethics 101. What other intent than malice (or, at best, unhealthy interest in somebody else's network) could portscanning someone else's network show? If you don't own it, and aren't involved in an official capacity, chances are high that you should Just Stay Off. This includes portscans. To do otherwise shows you are probing for points of attack/entry - I don't see how you can argue otherwise. If I am missing the obvious altruistic motive for portscanning, please enlighten me. A portscan is a sign that somebody is probing your defenses, trying to find out where they might get in. Why should this NOT get a hostile (or at least defensive) reaction? Looking for any legitimate reason here. DH Blackholing isnt hostile its defensive. DR But then again I'm of the radical opinion that if your host is compromised DR it is your fault for not taking appropriate precautions on inbound DR filters or gateways. Obviously, the person that actually did the typing to crack a machine is not responsible for his/her keystrokes. The person that scanned the network to find weaknesses is surely not culpable for gathering and using such information. Just like if a bank has 100-year-old security and leave the vault door open, the person that walks in and picks up a bag of money is not responsible for stealing - it's the bank's fault for not providing adequate security. Yes, network operators have a responsibility to their shareholders, if nobody else, to secure their networks. But that IN NO WAY takes the responsibility for illegal action off the shoulders of the person that committed it. DH The blackholing is the response to networks which cant be bothered to DH clean up their compromised hosts. Youre ranting against the wrong target DH im afraid. Please go back and read the thread from the beginning. DR I can't help it if your host does funny things when I send them funny DR packets :-) DH Why are you sending funny packets? Exactly. If you want to send funny packets, send them to your OWN network, or get a job as a security consultant and do this kind of thing for money. Don't try to rationalize illegal behaviour by shifting blame to somebody else. (Note: again, not saying portscanning is illegal. Other activity (break-ins, etc.) has been discussed in this message.) -- Scott Francis darkuncle [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01840/pgp0.pgp Description: PGP signature
Re: Arbor Networks DoS defense product
On Fri, May 17, 2002 at 12:50:40AM -0700, [EMAIL PROTECTED] said: On Thu, 16 May 2002, Dragos Ruiu wrote: But that said. Blackholing as a response for portscanning is stupid. If you are a small communications end-point it's dumb. Just run portsentry for a while with auto-firewall rules if you need convincing. If you are a communications service provider providing packet transit for others (even employees), it's hostile. So it's stupid. Or hostile. Certainly no more stupid (or hostile) than sending out millions of spams, or being the source of thousands of portscans/intrusion attempts, and refusing to take responsibility. Bottom line: network policy is the responsibility of the network operator. If he/she does something that causes bad repercussions (financially), he/she will probably be job hunting. Otherwise, if it's not your network, you really don't have much of a say about how it's run, do you? (If it were otherwise, large sections of APNIC would have been cleaned up long ago by those on the receiving end of portscans and spam.) -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01841/pgp0.pgp Description: PGP signature
Re: Arbor Networks DoS defense product
On Fri, May 17, 2002 at 01:00:52AM -0700, Dan Hollis DH said, in response to a message on Thu, 16 May 2002 by Dragos Ruiu DR: DR But how do you plan to arbitrate disputes about what merits blackholing DR and not on behalf of others? And what guidelines do you use to decide DR on how to initiate black holing? (not critical here, just curious?) there are no disputes. It's like using the RBL - what I decide to do with my network is my business. If somebody else doesn't like it, they can do business elsewhere. Everybody wants to do as they please on the Big Wide Net, but they also want to be able to tell everybody else how to play. Can't have it both ways. DH Thats the beauty here, one can provide multiple databases (eg rogue DH networks which refuse to shutdown their portscanners, proven spamhausen in DH bed with spammers, proven active attackers, etc.) and service providers DH can opt in as they like, and apply whatever policy to those routes that DH they like. The simple addition of a default action in the land mine/blackhole BGP idea would take away most of the protests, I think: after X scans, mail WHOIS contact for the network in question saying You have scanned us. Please clean up your network, or risk being blackholed. If no response is received, and scans continue, blackhole. Simple as that, and puts responsibility back on the shoulders of the offending network. DH Why are you sending funny packets? DR Any number of reasons... like I have a compromised host DR and I'm watching what it does before shutting it down... There's no point to what you have just said. When you find a machine has been rooted, unplug it from the network and commence forensic analysis. Knowingly allowing it to attack other networks is foolhardy at best. DH So you have a compromised host attacking sites, you know about it, and DH you're allowing it to continue. Whoops it just defaced a federal DH government site, and now it has your ip address all over it... DH I don't think i'd want to open myself to that kind of liability... DH When we catch compromised hosts, we cut their balls off instantly. DR Or maybe the packets don't look funny to me :-). DR Or perhaps the packets were so funny I thought I'd share. ;-) DR Humor is often in the eye of the beholder :-). DH Military networks arent well known for their sense of humor, and neither DH are federal interest sites... Neither are network operators whose networks are constantly under attack. This kind of thing loses its novelty the first time one of your machines is rooted and has to be wiped and rebuilt. Whether or not it's amusing to you is immaterial. If the person being scanned does not find it so, scans should cease, period. -- Scott Francis darkuncle [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01845/pgp0.pgp Description: PGP signature
Re: Arbor Networks DoS defense product
On Fri, 17 May 2002 [EMAIL PROTECTED] wrote: On Thu, 16 May 2002 14:44:58 PDT, Dan Hollis said: On Thu, 16 May 2002, Dragos Ruiu wrote: I can't help it if your host does funny things when I send them funny packets :-) Why are you sending funny packets? Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often considered funny packets. http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-04.txt I know ECN etc have been used to evade firewalls but afaik have not been known in and of themselves to compromise or crash hosts or make them do any funny things besides dropping the packets outright. If you have information to the contrary please let me know. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often considered funny packets. I know ECN etc have been used to evade firewalls but afaik have not been known in and of themselves to compromise or crash hosts or make them do any funny things besides dropping the packets outright. If you have information to the contrary please let me know. The ECN bits have been used in the past to do OS finger printing. Not a big issue IMHO, but some people don't like it. -- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
Re: Arbor Networks DoS defense product
Date: Wed, 15 May 2002 20:04:42 -0700 (PDT) From: Dan Hollis [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] On Wed, 15 May 2002, PJ wrote: If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear. Do let us know how your portscans of US military networks goes... There are always going to be people who are going to probe and poke Are you one of them? IANAL, but I do know that last year a federal court in the First US District (Washington D.C. and surrounding area, as I recall) ruled that scanning was NOT illegal. It is a court of record and, until reversed by a higher court, stands a a precedent in that district (but not others). As far as I know, there has been no higher court ruling. That said, I guess if you are scanning a system in that district, you have no problems. But you may have problems if the system(s) scanned are elsewhere, though there is no specific law on the subject. The action reviewed by the court was under federal anti-hacking laws which might be construed as covering port scanning. The court held that they did not. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 06:19:00PM -0700, [EMAIL PROTECTED] said: [snip] On Wed, 15 May 2002, Johannes B. Ullrich wrote: [[EMAIL PROTECTED]] Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. I agree. Scanning is no crime. But blocking isn't a crime either. Agreed. But this blocking still will do no good. My previous questions still stand. What about timing? What about breaking up segements of the network to be scanned by different hosts? How many hits on the linemines constitute blocking? Are you blocking hosts or networks? Either way, what about dynamic ips? What about scans done from different networks other than that which the supposed attacker is originating from. Universitys, unsecured wireless lans, etc. So because we can't implement a perfect solution, let's do nothing at all about the problem? PJ -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01825/pgp0.pgp Description: PGP signature
Re: Arbor Networks DoS defense product
On Thu, May 16, 2002 at 09:35:51AM -0700, [EMAIL PROTECTED] said: [snip] http://online.securityfocus.com/news/126 There is a difference between what's legally acceptable and what's ethical or even prudent. One thing that I may not have made clear: I am not saying port scanning is necessarily unethical or foolish at all times, or that it has no place in the network operator's toolkit. It obviously does. However, scans tend to be a very reliable precursor to malicious activity. Perhaps a graduated landmine response that first mails the technical contact for the netblock in question after a certain threshold has been crossed, and then a blackhole after the next threshold is crossed (assuming no response from the contact attempt). -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui msg01826/pgp0.pgp Description: PGP signature
Re: Arbor Networks DoS defense product
On Thu, 16 May 2002, Scott Francis wrote: So because we can't implement a perfect solution, let's do nothing at all about the problem? That does sound like the general opposition to landmines, yes. It is notable that the SMTP RBLs were often attacked with exactly the same argument. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Thu, 16 May 2002, Dragos Ruiu wrote: Some people are get all hyper and complain. Which is silly imho. If you don't like it, stop your network from responding to it. Thats exactly what we plan to do with BGP blackholes and landmines. Don't bitch and whine if your equipment is silly and leaks info. It's not the world's problem to compensate for _your_ inferior network architecture or shoddily designed network hardware. Then you shouldnt be whining about a BGP blackhole system. Portscanning by no means proves intent. Or should provoke hostile reaction. Blackholing isnt hostile its defensive. But then again I'm of the radical opinion that if your host is compromised it is your fault for not taking appropriate precautions on inbound filters or gateways. The blackholing is the response to networks which cant be bothered to clean up their compromised hosts. Youre ranting against the wrong target im afraid. Please go back and read the thread from the beginning. I can't help it if your host does funny things when I send them funny packets :-) Why are you sending funny packets? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
RE: Arbor Networks DoS defense product
Title: RE: Arbor Networks DoS defense product Is it common practice to place your own equipment at the ISP? My thought is that if we are able to have our own routers at the ISP, we'd be in a better position to mitigate the effects of a DDOS. As long as the stream of traffic does not adversely affect our routers from performing properly at the ISP, we can then mitigate the effects through access-lists, QOS, etc. That is if the attack is not too distributed, where the source IPs with the highest amount of syn traffic for example can be easily identified. Rick Cheung NPI IT Wan Team, CCNP -Original Message- From: Pete Kruckenberg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 2:15 AM To: [EMAIL PROTECTED] Subject: Re: Arbor Networks DoS defense product On Wed, 15 May 2002, Rubens Kuhl Jr. wrote: If and when (a) customers don't get exemption for attack traffic (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of the month per customer circuit (c) the DoS increases bytes transferred like large ICMP packet flood; this is not the case for all DoS traffic, which can be a bunch of small packets that actually decreases traffic These might apply to noticeable DoS attacks that occur as specific events. But how much (D)DoS traffic goes unnoticed by the average customer because it's too tough to detect or defend against? The 10% I've measured on my network is primarily reflected DDoS (reflected off my customers, to off-net targets), which is not trivial to detect or defend against. Pete.
Re: Arbor Networks DoS defense product
On Tue, 14 May 2002, Pete Kruckenberg wrote: Have any large networks gathered statistics on how much traffic DDoS/DoS/DRDoS attacks consume on an average day? The attacks I have been able to detect represent around 10-15% of my traffic on an on-going basis. I'm curious about the business case for investing in DoS defense mechanisms. DoS traffic is boosting service provider revenues through increased customer bandwidth usage. I disagree. If many of your customers have flat-rate as opposed to burstable connectivity, such as a full point-to-point T1 or a dedicated 10 meg switch port to host a colo box, the revenue you derive from those customers doesn't change regardless of how much/how little traffic your network carries for them. If your customers have burstable connectivity, their bill only goes up if you have mechanisms in place to do those calculations - I'll hazard a guess that many providers don't. I would argue that in many cases a service provider loses revenue due to DoS traffic - network performance/availability can be impacted as your network absorbs a DoS attack and your NOC/network engineers/security people have to spend cycles analyzing (calling vendors, upstreams, etc) and dampening the attack. Both of these impact windows have costs associated with them. I haven't done any formal ROI calculations on Arbor or any of the other DoS defense products out there. However, from my viewpoint, I'd be willing to bet that if/once my NOC/network engineers/security people are properly trained on how to handle a DoS attack, anything that allows me to shrink those impact windows, e.g. reduce my costs related with dealing with an attack, is a good thing. So the investment in defense mechanisms like Arbor would have to replace or increase that revenue. Will these issues inhibit wide-spread implementation of DoS defenses? That depends on how those products are priced, how well they're marketed, and of course, how effective they are in helping to stop DoS attacks. jms
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: FYI, the miscreants also _avoid_ certain netblocks in which, they believe, honeypots and other things reside. What leads them to believe this? It could be very useful as deterrence to know their criteria. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: ] It could be very useful as deterrence to know their criteria. For the low fee of a cool t-shirt or a bit of gear for my lab I'd be happy to spread rumours about the mad fast honeypot residing within your prefixes. :) disinformation as a means to raise the level of uncertainty for the attacker, it's classic military tactic. what other military tactics can be used to make life more dangerous for attackers? i've been tossing around an idea for a land mine network. randomly distributed honeypots around the internet. when X landmines are hit from the same source, that source gets entered into a BGP blackhole feed which anyone can subscribe to. put landmines in popularly targeted networks, maybe even make them randomly move about. there are all sorts of wonderful tactics that could be put to use. scanning would quickly become self defeating as attackers would only manage to cut themselves off from the net. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
Hi, Dan. ] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines. The end result is a lot of hacked hosts are black holed. On one hand you could say serves 'em right for being hacked! On the other hand, you could wonder why it is that the non-geek broadband users must be system, network, and firewall administrators. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt ASSERT(coffee != empty);
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Rob Thomas wrote: ] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines. I disagree. They have to start somewhere. Most miscreants first attack offshore hosts, then use those to attack domestic victims. The end result is a lot of hacked hosts are black holed. And this is a bad thing? On one hand you could say serves 'em right for being hacked! On the other hand, you could wonder why it is that the non-geek broadband users must be system, network, and firewall administrators. They don't. This is purely a response to rogue networks/blackhats and apathetic/irresponsible/toothless NOCs. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On 15 May 2002, Johannes B. Ullrich wrote: See http://www.dshield.org/block.txt ;-). We are about 24hrs away from getting a BGP test feed up. Error Sorry, the page could not be found. Click HERE to return to the DShield.org homepage. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
sorry. getting confused by my own tricky url schemes: http://feeds.dshield.org/block.txt On Wed, 2002-05-15 at 17:13, Dan Hollis wrote: On 15 May 2002, Johannes B. Ullrich wrote: See http://www.dshield.org/block.txt ;-). We are about 24hrs away from getting a BGP test feed up. Error Sorry, the page could not be found. Click HERE to return to the DShield.org homepage. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Chris Parker wrote: That's fine until the first person spoofs a scan from 'www.cisco.com' or 'a.root-servers.net' and *poof* it's now automagically unreachable. Only tcp connections with full handshake would be counted. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Lyndon Nerenberg wrote: I usually avoid blackhole subscription lists like this. They let the attacker take out your legitimate peers by spoofing the source. If they can take out your legitimate peers by spoofing end to end TCP connections, then you have got some really enormous problems that need to be addressed. I don't think spoofing will be a problem for the landmines. Most attacks (99%?) are tcp. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, PJ wrote: On Wed, 15 May 2002, Dan Hollis wrote: We are not landmining for DOSing. We are landmining to make it very dangerous for attackers to scan networks and probe hosts. Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. It would take more than a single landmine hit to get blackholed. Like, duh. Enough hits on a wide sensor net prove bad intentions, as proven by dshield. I'm suprised at the extremely shallow level of arguments so far against landmines. Well, I guess I shouldnt be suprised -- this *IS* nanog, after all... :P -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: Arbor Networks DoS defense product
On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. So you can think of a perfectly legitimate reason to scan someone else's netblocks on specific TCP ports? -c
(fwd) Re: Arbor Networks DoS defense product
Forgot to include nanog - Forwarded message from PJ [EMAIL PROTECTED] - Date: Wed, 15 May 2002 17:50:01 -0700 From: PJ [EMAIL PROTECTED] Subject: Re: Arbor Networks DoS defense product To: Clayton Fiske [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Reply-To: PJ [EMAIL PROTECTED] User-Agent: Mutt/1.3.25i On Wed, 15 May 2002, Clayton Fiske wrote: On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: Are you now operating under the premise that scans != anything but the prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. So you can think of a perfectly legitimate reason to scan someone else's netblocks on specific TCP ports? -c Has no one ever tested firewall rules from external networks? The fact remains is that a scan != an attack. PJ -- The worst thing one can do is not to try, to be aware of what one wants and not give in to it, to spend years in silent hurt wondering if something could have materialized -- and never knowing. -- David Viscott
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Johannes B. Ullrich wrote: Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime. I agree. Scanning is no crime. But blocking isn't a crime either. Agreed. But this blocking still will do no good. My previous questions still stand. What about timing? What about breaking up segements of the network to be scanned by different hosts? How many hits on the linemines constitute blocking? Are you blocking hosts or networks? Either way, what about dynamic ips? What about scans done from different networks other than that which the supposed attacker is originating from. Universitys, unsecured wireless lans, etc. PJ -- Art is a lie which makes us realize the truth. -- Picasso
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Clayton Fiske wrote: On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote: Sorry for not including nanog in the reply. What about MAPS? They routinely scan netblocks without consent. Does this tool differenciate between local and non-local scanning? Scanning is The tool in question may not even exist yet. There is no preset definition of how it has to work. Perhaps it can be evolved enough to where it only triggers when an exploit is attempted, rather than just on a TCP connection. Granted. However, if it's not yet in existance, these are good questions to be asked now instead of later, no? I would feel much better about it if it was triggered by an exploit, instead of a connection. still not a crime and it will still do nothing to deter anyone with hostile intentions. This is just a bandaid to avoid taking proper security precautions. I can take all the proper security precautions and it doesn't stop third party network A from being exploited and later used to attack me. The point of this is that it will help identify a specific host which is scanning many blocks belonging to many different networks. If they hit several landmines in my network, I might be concerned. If they hit landmines in my network and 6 others to which I have no affiliation, the net as a whole might want to know about it. Granted. However, the suggestion to place said host/network into some sort of BGP black hole, has it's problems. The community has a whole already has an idea of which networks have an greater precentage of attacks originating from it, an alert is fine, a pre-emptive strike in the absence of an actual attack is not. I don't think anyone said this was intended to take the place of security on their own networks. But I don't see how that aspect makes this a bad tool on its own either way. Yes, that was perhaps an implication made on my part. However, there are still concerns with the idea that have yet to be addressed. PJ -- Art is a lie which makes us realize the truth. -- Picasso
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, PJ wrote: If it's a crime, someone should have no problem citing the code. If it's not a crime, than I am guilty of nothing and should have nothing to fear. Do let us know how your portscans of US military networks goes... There are always going to be people who are going to probe and poke Are you one of them? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Arbor Networks DoS defense product
Telus has gone first, and announced it is using Arbor's products across its backbone network. http://www.eweek.com/article/0,3658,s=720a=26867,00.asp People have been trying the products for a while. Does Arbor Networks really have an answer to DoS, or does it still need a little longer in the oven.
Re: Arbor Networks DoS defense product
On Wed, 15 May 2002, Sean Donelan wrote: Telus has gone first, and announced it is using Arbor's products across its backbone network. http://www.eweek.com/article/0,3658,s=720a=26867,00.asp People have been trying the products for a while. Does Arbor Networks really have an answer to DoS, or does it still need a little longer in the oven. Have any large networks gathered statistics on how much traffic DDoS/DoS/DRDoS attacks consume on an average day? The attacks I have been able to detect represent around 10-15% of my traffic on an on-going basis. I'm curious about the business case for investing in DoS defense mechanisms. DoS traffic is boosting service provider revenues through increased customer bandwidth usage. So the investment in defense mechanisms like Arbor would have to replace or increase that revenue. Will these issues inhibit wide-spread implementation of DoS defenses? Pete.
Re: Arbor Networks DoS defense product
| The attacks I have been able to detect represent around | 10-15% of my traffic on an on-going basis. | | I'm curious about the business case for investing in DoS | defense mechanisms. DoS traffic is boosting service provider | revenues through increased customer bandwidth usage. So the If and when (a) customers don't get exemption for attack traffic (b) the DoS traffic occurs more than 5% (or 1 - your percentile level) of the month per customer circuit (c) the DoS increases bytes transferred like large ICMP packet flood; this is not the case for all DoS traffic, which can be a bunch of small packets that actually decreases traffic | investment in defense mechanisms like Arbor would have to | replace or increase that revenue. Will these issues inhibit | wide-spread implementation of DoS defenses? I think a network that profits from client suffering doesn't keep its contracts for much time. Rubens Kuhl Jr.
