trelane@trelane.net (Andrew D Kirch) writes:
There are however legitimate reasons for a portscan, responding to incoming abuse and attack being one of them, automatically searching for openrealys used to send you spam is another. Curtailing scanning shouldn't be a priority here, nailing packet kids, spammers etc should be. Sadly both of these groups don't seem to be going to jail in droves.
here's the way it works out. if a network is paying attention to complaints then it will shut down wormridden customer hosts based on some combination of complaints and observations, and there will be fewer legitimate port scans which if the network notices them they'll assume they're legitimate. if however a network is not paying attention to complaints then it will very likely become alarmed by their IDS when legitimate port scans come through, and then they'll (surprise!) call and complain about it. funny assymetry. anyway, when they call, and they learn that it was a legit port scan, then they can learn of the need to shut down wormridden customer hosts. so no matter what, it's good to listen to complaints, and good to complain. -- Paul Vixie