[ On Sunday, May 19, 2002 at 17:45:36 (-0400), Benjamin P. Grubin wrote: ]
Subject: RE: Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)
If you separate the pointless argument about the hostility of portscans and the viability of a distributed landmine system, this may turn out to be a useful discussion in the end. I mean--we all know portscans are hardly the ideal trigger anyhow. On top of the potential ambiguity of their intention, they are also difficult to reliably detect.
The distributed landmine tied to subscription blackhole ala RBL may very well have significant positive attributes that are being drowned out due to the portscan debate. Obviously the vast majority in the spam world think RBL and/or ORBS have merit, despite the vocal complaints. Why not discuss viable alternative trigger methods instead of whining about portscans?
Well, there is still the issue of discovering the intent of a scan, regardless of how many landmines have to be triggered before a blackhole listing is put in place. Such technology is very dangerous if automated. Anyone with sufficient intelligence to find enough of the landmine systems could probably also figure out how to trigger them in such a way as to DoS any random host or network at will (assuming enough networks to matter used the listing service in real time). Unless there's also a sure-fire automated way of quickly revoking such a black list entry, as well as a free white-listing service, the consequences are far too dire to earn my support. On the other hand SMTP open relay blackholes are easy to prove and usually easy enough to fix and get de-listed from. Even the Spamcop realtime DNS list "bl.spamcop.net" is pretty hard to trick, and of course it's not really widely enough used that getting listed there is all that disruptive (apparently, since listed sites keep sending spam with no apparent degradation in their throughput). -- Greg A. Woods +1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>