Re: "portscans" (was Re: Arbor Networks DoS defense product)

In the immortal words of Mitch Halmu ([EMAIL PROTECTED]): > > (Rev. Martin Niemoller, 1945) Congratulations, Mitch, you have done what many of us would have considered impossible: you have surpassed your own previous high-water mark for tasteless, self-involved bullshit. (Which, for the short-

Re: "portscans" (was Re: Arbor Networks DoS defense product)

In the referenced message, Mitch Halmu said: > > On Sun, 19 May 2002, Dan Hollis wrote: > > > netside has been a long time lunatic opponent of RBLs > > First they came for the Communists, > and I didn't speak up, > because I wasn't a Communist. > Then they came for the Jews, > and I didn't sp

Re: "portscans" (was Re: Arbor Networks DoS defense product)

[ On Sunday, May 19, 2002 at 16:30:48 (-0700), Dan Hollis wrote: ] > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product) > > On Sun, 19 May 2002, Greg A. Woods wrote: > > Such technology is very dangerous if automated. > > And if its not? If it

Re: "portscans" (was Re: Arbor Networks DoS defense product)

Dan Hollis <[EMAIL PROTECTED]> wrote: > On Sat, 18 May 2002, Scott Francis wrote: > > On Sat, May 18, 2002 at 11:05:34PM -0400, [EMAIL PROTECTED] said: > > > attacked any host or network that I was not directly responsible for. > > > If you don't want the public portions of your network mapped th

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, May 19, 2002 at 10:03:08AM -0400, [EMAIL PROTECTED] said: > > > > rough assessment of their network security, which was important to me > > > as a customer for obvious reasons. > > > > In that case, I would not consider the scan to have come from an > > 'unaffiliated' person. I'm sure if

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, May 19, 2002 at 11:32:20PM -0400, [EMAIL PROTECTED] said: > > > On Sun, 19 May 2002, Dan Hollis wrote: > > > netside has been a long time lunatic opponent of RBLs > > First they came for the Communists, > and I didn't speak up, > because I wasn't a Communist. > Then they came for the

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, May 19, 2002 at 10:02:26PM -0400, [EMAIL PROTECTED] said: [snip] > > > Such technology is very dangerous if automated. > > > > And if its not? > > Quis custodiet ipsos custodes? > > Such technology is very dangerous, period. Here they go again, trying > to elevate some Internet masterr

Re: "portscans" (was Re: Arbor Networks DoS defense product)

TA> Date: Mon, 20 May 2002 0:50:58 -0400 TA> From: Tim A.Irwin TA> Wait for it... wait for it... here it comes... TA> SCORE!!! And the point is awarded to Dan! Close enough to call it a Godwin? ;-) -- Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichi

Re: "portscans" (was Re: Arbor Networks DoS defense product)

> > From: Mitch Halmu <[EMAIL PROTECTED]> > Date: 2002/05/19 Sun PM 11:32:20 EDT > To: Dan Hollis <[EMAIL PROTECTED]> > CC: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: Re: "portscans" (was Re: Arbor Networks DoS

Re: "portscans" (was Re: Arbor Networks DoS defense product)

> On Sun, 19 May 2002, Dan Hollis wrote: > > > netside has been a long time lunatic opponent of RBLs > > First they came for the Communists, > and I didn't speak up, > because I wasn't a Communist. > Then they came for the Jews, > and I didn't speak up, > because I wasn't a Jew. > Then they came

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, 19 May 2002, Dan Hollis wrote: > netside has been a long time lunatic opponent of RBLs First they came for the Communists, and I didn't speak up, because I wasn't a Communist. Then they came for the Jews, and I didn't speak up, because I wasn't a Jew. Then they came for the Catholics,

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, 19 May 2002, Mitch Halmu wrote: > > On Sun, 19 May 2002, Greg A. Woods wrote: > > > Such technology is very dangerous if automated. > > And if its not? > Quis custodiet ipsos custodes? > Such technology is very dangerous, period. Here they go again, trying > to elevate some Internet mast

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, 19 May 2002, Dan Hollis wrote: > On Sun, 19 May 2002, Greg A. Woods wrote: > > Such technology is very dangerous if automated. > > And if its not? Quis custodiet ipsos custodes? Such technology is very dangerous, period. Here they go again, trying to elevate some Internet masterrace

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, 19 May 2002, Greg A. Woods wrote: > Such technology is very dangerous if automated. And if its not? -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]

Re: "portscans" (was Re: Arbor Networks DoS defense product)

[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ] > Subject: RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) > > If you separate the pointless argument about the hostility of portscans > and the viability of a distributed lan

RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)

nday, May 19, 2002 4:48 PM > To: North America Network Operators Group Mailing List > Subject: Re: Re[8]: "portscans" (was Re: Arbor Networks DoS > defense product) > > > > [ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ] > > Subjec

Re: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)

[ On Sunday, May 19, 2002 at 14:14:18 (-0400), Allan Liska wrote: ] > Subject: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product) > > However, if the same > network is continuously portscanning your network that network should > be stopped. Unless you

Re: "portscans" (was Re: Arbor Networks DoS defense product)

That's a netblock, not an IP address. Your script kiddie at home with a cable modem or ADSL connection is not going to have his IP SWIP'd or populated in his ISP's rwhois server. Try that with 206.47.27.12 for instance. That is a Sympatico ADSL customer here in Ottawa. Ralph Doncaster principa

Re: "portscans" (was Re: Arbor Networks DoS defense product)

We maintain most comprehensive whois recursive engine tool at completwhois.com So you could also try this and get more info :) [support@sokol support]$ whois -h completewhois.com 207.99.113.65 [completewhois.com] [whois.arin.net] Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10

Re: "portscans" (was Re: Arbor Networks DoS defense product)

helium:~$ whois -a 207.99.113.65 Net Access Corporation (NETBLK-NAC-NETBLK01) 1719b Route 10E, Suite 111 Parsippany, NJ 07054 US Netname: NAC-NETBLK01 Netblock: 207.99.0.0 - 207.99.127.255 Maintainer: NAC Coordinator: Net Access Corporation (ZN77-ARIN) [EMAIL PROTE

RE: "portscans" (was Re: Arbor Networks DoS defense product)

> > > Before choosing an onling bank, I portscanned the networks of the > > > banks I was considering. It was the only way I could > find to get a > > > rough assessment of their network security, which was > important to > > > me as a customer for obvious reasons. > > [snip] > > I'm not

Re: "portscans" (was Re: Arbor Networks DoS defense product)

"Stephen J. Wilcox" <[EMAIL PROTECTED]> writes: > On 18 May 2002, Scott Gifford wrote: > > > > > Scott Francis <[EMAIL PROTECTED]> writes: > > > > [...] > > > > > And why, pray tell, would some unknown and unaffiliated person > > > be scanning my network to gather information or run recon if

Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)

Hello Ralph, Sunday, May 19, 2002, 12:13:35 PM, you wrote: >> RD> I think that's pretty stupid. If I had my network admin investigate every >> RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt. >> RD> Instead we keep our servers very secure, and spend the time and effort

Re: "portscans" (was Re: Arbor Networks DoS defense product)

[ On Sunday, May 19, 2002 at 11:22:08 (-0400), Ralph Doncaster wrote: ] > Subject: Re: Re[4]: "portscans" (was Re: Arbor Networks DoS defense product) > > I think that's pretty stupid. If I had my network admin investigate every > portscan, my staff costs would g

Re: "portscans" (was Re: Arbor Networks DoS defense product)

[ On Sunday, May 19, 2002 at 03:16:28 (-0700), Dan Hollis wrote: ] > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product) > > On 18 May 2002, Scott Gifford wrote: > > Before choosing an onling bank, I portscanned the networks of the > > banks I wa

Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)

> > > Works for me, works from any system that has a browser. At any given time > I'm *far* more likely to have a browser running than port scanning > software, so this solution is also IMHO faster. Until today netc

Re: Re[6]: "portscans" (was Re: Arbor Networks DoS defense product)

> RD> I think that's pretty stupid. If I had my network admin investigate every > RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt. > RD> Instead we keep our servers very secure, and spend the time and effort > RD> only when there is evidence of a break in. > > I didn't

Re[6]: "portscans" (was Re: Arbor Networks DoS defense product)

Hello Ralph, Sunday, May 19, 2002, 11:22:08 AM, you wrote: >> If they don't give a satisfactory bank somewhere else (or offer your >> services ;)). Certainly that is a better approach than scanning to >> see what you can find out. The organization receiving the scan has >> no way of knowing

Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)

On 07:50 AM 5/19/02, Ralph Doncaster wrote: > >> RD> I often like to know if a particular web server is running Unix or >> RD> Winblows. A port scanner is a useful tool in making that determination. >> >> [allan@ns1 phpdig]$ telnet www.istop.com 80 >> Trying 216.187.106.194... >> Connect

Re: Re[4]: "portscans" (was Re: Arbor Networks DoS defense product)

> If they don't give a satisfactory bank somewhere else (or offer your > services ;)). Certainly that is a better approach than scanning to > see what you can find out. The organization receiving the scan has > no way of knowing what your intentions are -- and should interpret > them as hostile

Re[4]: "portscans" (was Re: Arbor Networks DoS defense product)

Hello Ralph, Sunday, May 19, 2002, 10:50:23 AM, you wrote: >> RD> I often like to know if a particular web server is running Unix or >> RD> Winblows. A port scanner is a useful tool in making that determination. >> >> [allan@ns1 phpdig]$ telnet www.istop.com 80 >> Trying 216.187.106.194... >>

Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, 19 May 2002, Ralph Doncaster wrote: > > > RD> I often like to know if a particular web server is running Unix or > > RD> Winblows. A port scanner is a useful tool in making that determination. > > > > [allan@ns1 phpdig]$ telnet www.istop.com 80 > > Trying 216.187.106.194... > > Connec

Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)

> RD> I often like to know if a particular web server is running Unix or > RD> Winblows. A port scanner is a useful tool in making that determination. > > [allan@ns1 phpdig]$ telnet www.istop.com 80 > Trying 216.187.106.194... > Connected to dci.doncaster.on.ca (216.187.106.194). > Escape chara

Re: "portscans" (was Re: Arbor Networks DoS defense product)

> > rough assessment of their network security, which was important to me > > as a customer for obvious reasons. > > In that case, I would not consider the scan to have come from an > 'unaffiliated' person. I'm sure if the bank's network operator noticed it, > and contacted you, things would hav

Re: "portscans" (was Re: Arbor Networks DoS defense product)

> > I often like to know if a particular web server is running Unix or > > Winblows. A port scanner is a useful tool in making that determination. > > a full-blown portscan is not required here. A simple telnet to port 80 will > do the job. A simple telnet to port 80 will sometimes do the job,

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On 18 May 2002, Scott Gifford wrote: > Before choosing an onling bank, I portscanned the networks of the > banks I was considering. It was the only way I could find to get a > rough assessment of their network security, which was important to me > as a customer for obvious reasons. So for your

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On 18 May 2002, Scott Gifford wrote: > > Scott Francis <[EMAIL PROTECTED]> writes: > > [...] > > > And why, pray tell, would some unknown and unaffiliated person be scanning my > > network to gather information or run recon if they were not planning on > > attacking? I'm not saying that you'r

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sun, May 19, 2002 at 12:12:01AM -0700, [EMAIL PROTECTED] said: [snip] > And what the critics keep missing is that it will take several landmine > hits across the internet to invoke a blackhole. Just scanning a few > individual hosts or /24s won't do it. > > There are three aims of the landmi

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, May 18, 2002 at 11:46:21PM -0400, [EMAIL PROTECTED] said: > [ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ] > > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product) > > > > Apologies; my finger was a bit too quick o

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, 18 May 2002, Scott Francis wrote: > On Sat, May 18, 2002 at 11:05:34PM -0400, [EMAIL PROTECTED] said: > > attacked any host or network that I was not directly responsible for. > > If you don't want the public portions of your network mapped then you > > should withdraw them from public vi

Re: "portscans" (was Re: Arbor Networks DoS defense product)

Ralph Doncaster <[EMAIL PROTECTED]> writes: > I often like to know if a particular web server is running Unix or > Winblows. A port scanner is a useful tool in making that determination. > > > And why, pray tell, would some stranger be carrying a concealed gun if > they were not planning on s

Re: "portscans" (was Re: Arbor Networks DoS defense product)

[ On Saturday, May 18, 2002 at 20:15:10 (-0700), Scott Francis wrote: ] > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product) > > Apologies; my finger was a bit too quick on the 'g'. As this message came to > the list, I will assume it is safe t

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, May 18, 2002 at 11:05:34PM -0400, [EMAIL PROTECTED] said: > [ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ] > > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product) > > > > And why, pray tell, would some unknown and

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, May 18, 2002 at 09:43:16PM -0400, [EMAIL PROTECTED] said: [snip] > > network to gather information or run recon if they were not planning on > > attacking? I'm not saying that you're not right, I'm just saying that so far > > I have heard no valid non-attack reasons for portscans (other th

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, May 18, 2002 at 07:17:43PM -0400, [EMAIL PROTECTED] said: [snip] > > network to gather information or run recon if they were not planning on > > attacking? I'm not saying that you're not right, I'm just saying that so far > > I have heard no valid non-attack reasons for portscans (other th

Re: "portscans" (was Re: Arbor Networks DoS defense product)

[ On Saturday, May 18, 2002 at 16:03:11 (-0700), Scott Francis wrote: ] > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product) > > And why, pray tell, would some unknown and unaffiliated person be scanning my > network to gather information or run recon if

Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)

AL> Date: Sat, 18 May 2002 21:50:34 -0400 AL> From: Allan Liska AL> [allan@ns1 phpdig]$ telnet www.istop.com 80 AL> Trying 216.187.106.194... AL> Connected to dci.doncaster.on.ca (216.187.106.194). AL> Escape character is '^]'. AL> HEAD / HTTP/1.0 Or lynx http://www.istop.com/ and pr

Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)

Hello, Saturday, May 18, 2002, 7:17:43 PM, you wrote: RD> On Sat, 18 May 2002, Scott Francis wrote: >> And why, pray tell, would some unknown and unaffiliated person be scanning my >> network to gather information or run recon if they were not planning on >> attacking? I'm not saying that you'

Re: "portscans" (was Re: Arbor Networks DoS defense product)

Scott Francis <[EMAIL PROTECTED]> writes: [...] > And why, pray tell, would some unknown and unaffiliated person be scanning my > network to gather information or run recon if they were not planning on > attacking? I'm not saying that you're not right, I'm just saying that so far > I have heard

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, 18 May 2002, Scott Francis wrote: > And why, pray tell, would some unknown and unaffiliated person be scanning my > network to gather information or run recon if they were not planning on > attacking? I'm not saying that you're not right, I'm just saying that so far > I have heard no val

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, May 18, 2002 at 05:25:27PM -0400, [EMAIL PROTECTED] said: > [ On Saturday, May 18, 2002 at 13:48:27 (-0700), Scott Francis wrote: ] > > Subject: Re: "portscans" (was Re: Arbor Networks DoS defense product) > > > > > However a "portscan" is no

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, May 18, 2002 at 01:48:27AM -0700, Scott Francis wrote: [ snip ] > On Sat, May 18, 2002 at 04:10:53AM +, [EMAIL PROTECTED] said: [ more snip ] > > By all means if you are under attack, filter and protect yourself. > > > > However a "portscan" is not an attack. > > Precursor to an

Re: "portscans" (was Re: Arbor Networks DoS defense product)

On Sat, May 18, 2002 at 04:10:53AM +, [EMAIL PROTECTED] said: [snipage throughout] > > up your network, or risk being blackholed." If no response is received, and > > scans continue, blackhole. Simple as that, and puts responsibility back on > > the shoulders of the offending network. > > Oh

Re: Arbor Networks DoS defense product

> > Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often considered > > "funny packets". > I know ECN etc have been used to evade firewalls but afaik have not been > known in and of themselves to compromise or crash hosts or make them do > any "funny things" besides dropping the

Re: Arbor Networks DoS defense product

On Fri, 17 May 2002 [EMAIL PROTECTED] wrote: > On Thu, 16 May 2002 14:44:58 PDT, Dan Hollis said: > > On Thu, 16 May 2002, Dragos Ruiu wrote: > > > I can't help it if your host does funny things when I send them funny > > > packets :-) > > Why are you sending funny packets? > Unfortunately,

Re: Arbor Networks DoS defense product

On Fri, May 17, 2002 at 01:00:52AM -0700, Dan Hollis said, in response to a message on Thu, 16 May 2002 by Dragos Ruiu : But how do you plan to arbitrate disputes about what merits blackholing and not on behalf of others? And what guidelines do you use to decide on how to initiate black hol

Re: Arbor Networks DoS defense product

On Fri, May 17, 2002 at 12:50:40AM -0700, [EMAIL PROTECTED] said: > > On Thu, 16 May 2002, Dragos Ruiu wrote: > > But that said. Blackholing as a response for portscanning > > is stupid. > > If you are a small communications end-point it's dumb. > > Just run portsentry for a while with auto-fire

Re: Arbor Networks DoS defense product

On Thu, May 16, 2002 at 02:44:58PM -0700, Dan Hollis said, in response to a message on Thu, 16 May 2002 by Dragos Ruiu : Some people are get all hyper and complain. Which is silly imho. If you don't like it, stop your network from responding to it. Thats exactly what we plan to do with BGP

Re: Arbor Networks DoS defense product

On Thu, 16 May 2002 14:44:58 PDT, Dan Hollis said: > On Thu, 16 May 2002, Dragos Ruiu wrote: > > I can't help it if your host does funny things when I send them funny > > packets :-) > > Why are you sending funny packets? Unfortunately, things like TCP ECN and ICMP 'Frag Needed' are often c

Re: Arbor Networks DoS defense product

On Thu, 16 May 2002, Dragos Ruiu wrote: > But how do you plan to arbitrate disputes about what merits blackholing > and not on behalf of others? And what guidelines do you use to decide > on how to initiate black holing? (not critical here, just curious?) Thats the beauty here, one can provid

Re: Arbor Networks DoS defense product

On Thu, 16 May 2002, Dragos Ruiu wrote: > But that said. Blackholing as a response for portscanning > is stupid. > If you are a small communications end-point it's dumb. > Just run portsentry for a while with auto-firewall rules > if you need convincing. > If you are a communications service pro

Re: Arbor Networks DoS defense product

- Original Message - From: "Dan Hollis" <[EMAIL PROTECTED]> > On Wed, 15 May 2002, PJ wrote: > > If it's a crime, someone should have no problem citing the code. If > > it's not a crime, than I am guilty of nothing and should have nothing > > to fear. > > Do let us know how your portsca

Re: Arbor Networks DoS defense product

On Thu, 16 May 2002, Dragos Ruiu wrote: > Some people are get all hyper and complain. Which is silly imho. > If you don't like it, stop your network from responding to it. Thats exactly what we plan to do with BGP blackholes and landmines. > Don't bitch and whine if your equipment is silly and

Re: Arbor Networks DoS defense product

On Thu, 16 May 2002, Scott Francis wrote: > So because we can't implement a perfect solution, let's do nothing at all > about the problem? That does sound like the general opposition to landmines, yes. It is notable that the SMTP RBLs were often attacked with exactly the same argument. -Dan -

Re: Arbor Networks DoS defense product

On Thu, May 16, 2002 at 09:35:51AM -0700, [EMAIL PROTECTED] said: [snip] > > http://online.securityfocus.com/news/126 > > There is a difference between what's legally acceptable and what's ethical or > even prudent. One thing that I may not have made clear: I am not saying port scanning is neces

Re: Arbor Networks DoS defense product

On Wed, May 15, 2002 at 06:14:37PM -0700, [EMAIL PROTECTED] said: [snip] > > On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > > > Even more, I would hate to see the advocation of a hostile reaction to > > > what, so far, is not considered a crime. > > > > Feel free to go portscan some US mi

Re: Arbor Networks DoS defense product

On Wed, May 15, 2002 at 06:19:00PM -0700, [EMAIL PROTECTED] said: [snip] > On Wed, 15 May 2002, Johannes B. Ullrich wrote: [[EMAIL PROTECTED]] > > > > Even more, I would hate to see the advocation of a hostile reaction to > > > > what, so far, is not considered a crime. > > > > I agree. Scanning

Re: Arbor Networks DoS defense product

> Date: Wed, 15 May 2002 20:04:42 -0700 (PDT) > From: Dan Hollis <[EMAIL PROTECTED]> > Sender: [EMAIL PROTECTED] > > > On Wed, 15 May 2002, PJ wrote: > > If it's a crime, someone should have no problem citing the code. If > > it's not a crime, than I am guilty of nothing and should have nothin

Re: Arbor Networks DoS defense product

On 15 May 2002, Johannes B. Ullrich wrote: > > What about scans done > > from different networks other than that which the supposed attacker is > > originating from. > Well, then these networks are marked as "attackers", which is ok. The > can clean up their systems and enjoy full access again.

Re: Arbor Networks DoS defense product

Hi Rob ## On 2002-05-15 16:01 -0500 Rob Thomas typed: RT> On the other hand, you could wonder why it is that the RT> non-geek broadband users must be system, network, and firewall RT> administrators. You might prefer to wonder when home users will start using an OS that doesn't have securi

Re: Arbor Networks DoS defense product

> What about timing? What about breaking up > segements of the network to be scanned by different hosts? Its realy a matter of getting a sizable 'line mine net' up. With dshield, I hope to ultimately have a couple in each AS, probably with some local aggregation. The trick is that you use

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, PJ wrote: > If it's a crime, someone should have no problem citing the code. If > it's not a crime, than I am guilty of nothing and should have nothing > to fear. Do let us know how your portscans of US military networks goes... > There are always going to be people who ar

Re: Arbor Networks DoS defense product

CF> Date: Wed, 15 May 2002 18:13:07 -0700 CF> From: Clayton Fiske CF> There is no preset definition of how it has to work. Perhaps CF> it can be evolved enough to where it only triggers when an CF> exploit is attempted, rather than just on a TCP connection. Sounds sorta like the SMTP *BL debat

Re: Arbor Networks DoS defense product

On Wed, May 15, 2002 at 06:25:15PM -0700, PJ wrote: > Granted. However, the suggestion to place said host/network into some > sort of BGP black hole, has it's problems. The community has a whole Keep in mind that this would be a subscription service. It's not as though the route would be annou

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Clayton Fiske wrote: > On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote: > > Sorry for not including nanog in the reply. What about MAPS? They > > routinely scan netblocks without consent. Does this tool > > differenciate between local and non-local scanning? Scanning

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Johannes B. Ullrich wrote: > > > > Even more, I would hate to see the advocation of a hostile reaction to > > > what, so far, is not considered a crime. > > I agree. Scanning is no crime. But blocking isn't a crime either. > > Agreed. But this blocking still will do n

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Dan Hollis wrote: > > On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > > Even more, I would hate to see the advocation of a hostile reaction to > > what, so far, is not considered a crime. > > Feel free to go portscan some US military and federal interest networks,

Re: Arbor Networks DoS defense product

On Wed, May 15, 2002 at 06:04:40PM -0700, PJ wrote: > Sorry for not including nanog in the reply. What about MAPS? They > routinely scan netblocks without consent. Does this tool > differenciate between local and non-local scanning? Scanning is The tool in question may not even exist yet. Th

Re: Arbor Networks DoS defense product

> > Even more, I would hate to see the advocation of a hostile reaction to > > what, so far, is not considered a crime. I agree. Scanning is no crime. But blocking isn't a crime either.

(fwd) Re: Arbor Networks DoS defense product

Forgot to include nanog - Forwarded message from PJ <[EMAIL PROTECTED]> - > Date: Wed, 15 May 2002 17:50:01 -0700 > From: PJ <[EMAIL PROTECTED]> > Subject: Re: Arbor Networks DoS defense product > To: Clayton Fiske <[EMAIL PROTECTED]> > Message-ID: &

Re: Arbor Networks DoS defense product

On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > Even more, I would hate to see the advocation of a hostile reaction to > what, so far, is not considered a crime. Feel free to go portscan some US military and federal interest networks, then. If it's not a crime, you shouldnt have any prob

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Dan Hollis wrote: > On Wed, 15 May 2002, PJ wrote: > > On Wed, 15 May 2002, Dan Hollis wrote: > > > We are not landmining for DOSing. > > > We are landmining to make it very dangerous for attackers to scan networks > > > and probe hosts. > > Are you now operating under the

Re: Arbor Networks DoS defense product

On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > Are you now operating under the premise that scans != anything but the > prelude to an attack? Sorry if I missed it earlier in the thread, but > I would hate to think any legitimate scanning of a network or host > would result in a false posi

Re: Arbor Networks DoS defense product

On Wed, May 15, 2002 at 05:22:39PM -0700, PJ wrote: > Even more, I would hate to see the advocation of a hostile reaction > to what, so far, is not considered a crime. crime, or art? ;-) http://www.nytimes.com/2002/05/13/arts/design/13ARTS.html -d. --- http://www.monkey.org/~dugsong/

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, PJ wrote: > On Wed, 15 May 2002, Dan Hollis wrote: > > We are not landmining for DOSing. > > We are landmining to make it very dangerous for attackers to scan networks > > and probe hosts. > Are you now operating under the premise that scans != anything but the > prelude to

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Dan Hollis wrote: > > On Wed, 15 May 2002, Rob Thomas wrote: > > ] I don't think spoofing will be a problem for the landmines. Most attacks > > ] (99%?) are tcp. > > Hmm... Not based on my research. The most common attack capabilities in > > the bots are ICMP and UDP floo

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Rob Thomas wrote: > ] I don't think spoofing will be a problem for the landmines. Most attacks > ] (99%?) are tcp. > Hmm... Not based on my research. The most common attack capabilities in > the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most > of the D

Re: Arbor Networks DoS defense product

Hi, Dan. ] I don't think spoofing will be a problem for the landmines. Most attacks ] (99%?) are tcp. Hmm... Not based on my research. The most common attack capabilities in the bots are ICMP and UDP flooders. After that, IGMP. Last, TCP. Most of the DoS tools contain the same attack types

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Lyndon Nerenberg wrote: > I usually avoid blackhole subscription lists like this. They let > the attacker take out your legitimate peers by spoofing the source. If they can take out your legitimate peers by spoofing end to end TCP connections, then you have got some really

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Chris Parker wrote: > That's fine until the first person spoofs a scan from 'www.cisco.com' > or 'a.root-servers.net' and *poof* it's now automagically unreachable. Only tcp connections with full handshake would be counted. -Dan -- [-] Omae no subete no kichi wa ore no mon

Re: Arbor Networks DoS defense product

sorry. getting confused by my own tricky url schemes: http://feeds.dshield.org/block.txt On Wed, 2002-05-15 at 17:13, Dan Hollis wrote: > > On 15 May 2002, Johannes B. Ullrich wrote: > > See http://www.dshield.org/block.txt ;-). We are about 24hrs away from > > getting a BGP test feed up. >

Re: Arbor Networks DoS defense product

On 15 May 2002, Johannes B. Ullrich wrote: > See http://www.dshield.org/block.txt ;-). We are about 24hrs away from > getting a BGP test feed up. Error Sorry, the page could not be found. Click HERE to return to the DShield.org homepage. -Dan -- [-] Omae no s

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Rob Thomas wrote: > ] scanning would quickly become self defeating as attackers would only > ] manage to cut themselves off from the net. > To some degree, yes. Most of the miscreants are clueful enough not to > scan from their home machines. I disagree. They have to start

Re: Arbor Networks DoS defense product

Hi, Dan. ] scanning would quickly become self defeating as attackers would only ] manage to cut themselves off from the net. To some degree, yes. Most of the miscreants are clueful enough not to scan from their home machines. The end result is a lot of hacked hosts are black holed. On one ha

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Rob Thomas wrote: > ] It could be very useful as deterrence to know their criteria. > For the low fee of a cool t-shirt or a bit of gear for my lab I'd be > happy to spread rumours about the mad fast honeypot residing within > your prefixes. :) disinformation as a means to

Re: Arbor Networks DoS defense product

Hi, Dan. ] What leads them to believe this? Well folks aren't exactly subtle about their honeypots. Read any of the popular security lists for examples of "Hi! My honeypot was hit last night with blah and blah, here is the sniffer trace..." The underground shares and trades information as we

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Rob Thomas wrote: > FYI, the miscreants also _avoid_ certain netblocks in which, > they believe, honeypots and other things reside. What leads them to believe this? It could be very useful as deterrence to know their criteria. -Dan -- [-] Omae no subete no kichi wa ore no

Re: Arbor Networks DoS defense product

Hi, Pete. ] With the number of always-on broadband residential and ] small-business customers, are education networks still the The broadband ranges are now quite popular with the miscreants. Several of the bots I've recovered conduct targeted scans of the broadband prefixes. While scanning t

Re: Arbor Networks DoS defense product

On Wed, 15 May 2002, Richard A Steenbergen wrote: > It all depends on the networks involved. I'd venture to > say that most people not associated with university > networks see significantly less DoS, more like 1% of > overall traffic for service providers and probably > closer to 0% for end use

Re: Arbor Networks DoS defense product

On Tue, 14 May 2002, Pete Kruckenberg wrote: > Have any large networks gathered statistics on how much > traffic DDoS/DoS/DRDoS attacks consume on an average day? > > The attacks I have been able to detect represent around > 10-15% of my traffic on an on-going basis. > > I'm curious about the bu

  1   2   >