On Wed, 15 May 2002, Dan Hollis wrote:
On Wed, 15 May 2002, PJ wrote:
We are not landmining for DOSing. We are landmining to make it very dangerous for attackers to scan networks and probe hosts. Are you now operating under the premise that scans != anything but the
On Wed, 15 May 2002, Dan Hollis wrote: prelude to an attack? Sorry if I missed it earlier in the thread, but I would hate to think any legitimate scanning of a network or host would result in a false positive. Even more, I would hate to see the advocation of a hostile reaction to what, so far, is not considered a crime.
It would take more than a single landmine hit to get blackholed. Like, duh.
Forgive me for daring to ask a question. How many imply bad intent in general practice? 4? 5? 10? Any time limitations? I am sure they are, but I am just curious. Would the paranoid timing setting in nmap trigger it?
Enough hits on a wide sensor net prove bad intentions, as proven by dshield.
"Prove?" What exactly is enough hits? Is it dependant on the size of the network? Again, what about the timing factor? All that will happen is anyone with hostile intent will start breaking up networks into smaller chunks to be scanned from different hosts. I don't see it solving the so-called problem of scanning.
I'm suprised at the extremely shallow level of arguments so far against landmines.
I am surpised at the extremely shallow level of thinking that seeks to shift the burden of security maintenace off of the shoulders of those who should be responsible. Would you block just a host or a network? What about dynamic ips? It doesn't take much bandwidth to probe. Blackhole enough of the net and you effectively serve the purpose of DOSing yourself. PJ -- A diplomat is man who always remembers a woman's birthday but never her age. -- Robert Frost